Update on looking into best practices for security and privacy for the PWA: I did a link dump of resources I found on the Canny task. Upshot was: it is possible to encrypt everything stored locally via a password. Possible vulnerability is limited to on-device attacks, as well as server side. From what I saw during research, man in the middle attacks are thwarted by https. So I definitely think its a good idea to start looking into encryption methods that would make sense for how our pwa is designed. There are a few mentioned in some of the articles. I don't think I've got enough knowledge to do that research, but I'll definitely keep on the lookout for more resources.