[southerntofu]

> For missing them to be negligence, it would have to be easy to prevent spying from happening.

Well it is! Tech companies should not act as surveillance/intelligence companies: stop gathering personal info on people, and suddenly you've raised the bar considerably for spies to harm your users.

Sure, an insider spy could probably still setup a special-cased JS payload to infect a specific user, but that's more convoluted and more easily detected during review, compared to simply accessing one of the many troves of data companies keep on their users.