Yes, I’m in complete agreement with the potential threat… what I’m arguing for is utilizing the natural boundaries client side scripting has built it, i.e. cross site scripting. This is where multiple tenants (I admit that creates an administrative nightmare) or probably more sustainable hybrid approach would create those natural boundaries where one instance, let's say SPO, would be a much more open and free development environment where the on-premises farm would be tightly regulated and governed to prevent rogue code. And to be clear, by “more open and free” I do not advocate for free for all, but more of a culture of openness and possibility vs the “Department of No” that many IT organizations embody. I’ve seen it happen many times, and heard 10x that in stories of “we can’t do that”. The regulations in one organization were so stringent that changing a CSS file would take months… that’s not productive nor is it necessary. When those types of constraints are placed on business users who just want to get their work done effectively and efficiently you end up with people abandoning the platform in lieu of something else. And that benefits no one.