“local/sessionStorage is more difficult to intercept (not impossible, just really, really, really difficult.)”
If you mean “intercept” as in something between the client and server, then it is more then difficult, it is impossible as LS values aren’t sent to the server. If you mean “intercept” as in see/modify, then you are very wrong. Modifying LS values is as simple as opening up dev tools. You get a nice view of all the data and you can modify them easily enough. To be clear, that doesn’t make the feature bad, I love LS, but it is trivial for users to see how you use it.