the npm supply chain attacks were a massive wakeup call. the fact that we normalized storing sensitive tokens in localstorage for the last decade is wild.

moving to a bff pattern isnt just about hiding tokens, its about reducing the client attack surface entirely. shifting api orchestration and sanitization to edge proxies makes so much more sense. the browser should just be a dumb terminal rendering ui, not a secure vault managing state and credentials