As should have been clear, I wasn't talking about apps with Fortune 1000 company customer data. I certainly did not suggest the mild javascript-hashing technique would be appropriate for such situations. (So, your 90+ word tangent hypothesizing that I might try to sell such a thing is... obdurate? A strawman? Unfair?)
And, you seriously think there are "no" passive-only attackers? No people happy to merely scan or log traffic, not actively hijacking TCP sessions, but looking for info to exploit later? I suggest both the guy in the wifi cafe running a sniffer, and the NSA hardware in AT&T's room 641A, count as "passive-only attackers". Of course the javascript-hashing technique is only helpful against the former.
And, you seriously think there are "no" passive-only attackers? No people happy to merely scan or log traffic, not actively hijacking TCP sessions, but looking for info to exploit later? I suggest both the guy in the wifi cafe running a sniffer, and the NSA hardware in AT&T's room 641A, count as "passive-only attackers". Of course the javascript-hashing technique is only helpful against the former.