@smeg @rabbit @BleepingComputer

Or in a world where there's no mechanism to authenticate the browser binary? (If there's no disk encryption, that's the case; if there is, it's arguable, because we ~never do actual partial-rollback-proof disk encryption.)