I don’t understand. The page can’t access these things, only dev tools, so any action to expose it would still have to be mediated by user action; and even then, what’s so bad about exposing this? Everything in it is scoped to the document, and if it can expose things you don’t want exposed, then so can getEventListeners(), right? Yet getEventListeners returns an actual value. What’s the actual security problem of being able to list all objects on the JS heap?