[justin_oaks]

Data exfiltration works just fine with a locally downloaded SPA. There's Script/image embedding as you mention. There's also iframes and form submissions.

As for XHR, the same-origin principle doesn't prevent the request from going out; it prevents the response from being readable by the page. Even so, a remote site can add the right CORS headers to allow access from anywhere, and your browser will happily send the data out AND allow the page to read the response.

You could probably mitigate most, if not all, exfiltration using a CSP [1] that you manually add to the HTML meta tag.

The reason for using a local copy is so once I verify that the copy I have is "clean" (either built myself or reviewed, and confirmed to not send data out) then I can trust that version until I replace it.

If I load data from a website, there are no guarantees that I don't get a different version every time.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP