The software development world was so clean back when it all started. Nowadays its just picking libraries and whatever they do, they do. A lot of the time it's just some kind of react library that uses local storage automatically, and because you use it in your login script it just happily stores your password. Sure it's only on your laptop, but at some point someone is going to pull in a third party script tag that pulls in a live hosted library that at some point could be compromised.