ECMA TC39 met at Bloomberg in NYC. Security was on the agenda. Mark S Miller presented Stopping exfiltration (massive privacy violations vs boundaries. slides 
Exfiltration paved the way for a joint presentation on Realms which has moved to Stage 2 with Mark Miller, Caridy PatiƱo and Dave Herman at SalesForce/LinkedIn.
To grok the security features of Realms intends to deal with expand image captures on exfiltration.
Exfiltration from Browser
Screenshot of the attack scenario. The target user opens an online streaming web-site ins Tab (2). Pressing somewhere in this tab (for example to start a movie), causes a pop-under to open up as Tab (3) then monitors the cache activity on the target machine. When an encrypted email is received and decrypted using Google's encrypted email extension in (Tab (1)), the malicious advertisement in Tab (3) learns information about the user's secret key.