[lev99]

> So customers are skilled enough to check the (webpacked together with other stuff and minified) JS code running in their browser before they run it?

Checking code before it runs is possible. What is much easier is watching the network traffic on the web browser and examining it for sensitive material. It's an order of magnitude better to know that a security breach has _just_ happened than to find out much later, possibly when that information is being leveraged against you.

> spearfish

Almost all significant criminal activity leaves some trace. The buyer, by nature, has more trust in the seller because the buyer must pick up a package a specific location in a date range. The seller would be the most significant market players (spearfish targets), but give up less information in each transaction. The best way to attack would be watching for user mistakes (gps meta-data), social engineering, and zero days.