Very interesting post, with some excellent data. Thanks!
Yoni Rabinovitch

Great question. In short, we’re not worried about any security issues with having redux devtools enabled in production. The biggest attack vector is the json blob embedded in the initial HTML used to hydrate the redux store, but that is inspectable with or without the extension enabled.