It’s possible `/` redirects but other hidden routes phish. If someone gets e.g.: a fake password reset email, it might help the attacker bypass sanity checks users make.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.