Why would a malicious actor not be willing to setup the same infra as you, with an app on the iOS store to mine data once consented? I don’t see how api usage difficulty is a real security feature…