Perhaps many, but I have over 500 accounts in my password manager, yet none of have been leaked per the password exposure report (which I assume is based on the https://haveibeenpwned.com/ database).

So perhaps the problem is overblown in practice, assuming you don’t use the same password in many sites.

Realistically, how often does this happen?

Maybe find a solution when it happens.

In theory, yes. But if you follow the link and that leads to downloading the JS and running it, you’re already too late inspecting it.

And even if you review it once (and it wasn’t too large or obfuscated via minification), the next time you load a page, the JS can be different. I guess there could be a web browser extension for pinning the code?

The only practial alternative I know of is to have a local client you can review once (and after updates).

So the trick is to use the #fragment part of the URL, that is not sent to the server.

Of course the JS one downloads from the server could easily upload it to it, so you still need to trust the JS.

Alas my game PC is going to stick with Windows due to bad state of VR in Linux :/. And therefore one day it might need to update to Windows 11.

In particular if you have a headset that is not Valve Index, though apparently with Meta Quest one can use ALVR, as long as you get the actual games running.