It's already possible for a website to get your browser to download illegal content simply by visiting the page, and expose your IP in the process to whoever they want. You don't even need to use JavaScript to do the downloading (just a image or video tag, for example), and the uploading can be done with xmlhttprequest/fetch.

I don't think that's correct. From what I remember of watching his talk[0], Ryan is a fan of JavaScript. TypeScript gives optional typing, so you can still write normal JavaScript anyway. I don't think there was ever a plan to enforce types in Deno.

[0] https://www.youtube.com/watch?v=M3BM9TB-8yA

The trading pin is just a few fixed numbers that you remember alongside your password. It's obviously not a second "factor". If one of my browser extensions gets hacked (or whatever), there goes my life savings.

Even my note taking app has 2FA! It's kinda absurd to me that I'm emailing back and forth with a massive financial institution arguing about whether 2FA is necessary. They put me through to the development team, and this is apparently their response. I'll probably be moving my savings to a different company.

Who is responsible for losses, them or customers?