ECMA TC39 met at Bloomberg in NYC. Security was on the agenda. Mark S Miller presented Stopping exfiltration (massive privacy violations vs boundaries). slides 
Stopping Exfiltration paved the way for a joint presentation on Realms proposal which has moved to Stage 2 with Mark Miller, Caridy PatiƱo and Dave Herman at Agoric/SalesForce/LinkedIn.
To grok the security features Realms intends to deal with expand image captures on exfiltration.
Exfiltration from Browser
Screenshot of the attack scenario. The target user opens an online streaming website in Tab (2). Pressing somewhere in this tab (for example to start a movie), causes a pop-under to open up as Tab (3) then monitors the cache activity on the target machine. When an encrypted email is received and decrypted using an encrypted email extension in (Tab (1)), the malicious advertisement in Tab (3) learns information about the user's secret key.
Linking exfiltration to blockchain smart contracts. Sarah Mickeljohn on deanonymizing zcash: paper