I feel like your speaking in atitides, but not looking at this situation specifically.
If I can unlock your computer with your password or with the word "hello" and you have no intention of removing the "hello" feature, would you not agree that we might as well remove the password entirely?
How do we increase the attack surface of service workers by adding background sync, when we can get nearly identical behaviour using push?
If you goal is purely to not increase the attack surface, you might as well never add any new APIs ever.
If you're going down the analogies rabbit hole: let's say your front door is unlocked. Should you then just open all your windows because, you know, everyone already has access to your house?
> when we can get nearly identical behaviour using push?
The devil is in the details: is it nearly identical behaviour? How nearly is it identical? I personally don't know.
One wakes up the background page on a timer, the other wakes it up based upon a external controllable trigger. It's trivial to fire that external trigger based upon a timer.
If I can unlock your computer with your password or with the word "hello" and you have no intention of removing the "hello" feature, would you not agree that we might as well remove the password entirely?
How do we increase the attack surface of service workers by adding background sync, when we can get nearly identical behaviour using push?
If you goal is purely to not increase the attack surface, you might as well never add any new APIs ever.