We use the same api as a regular website/chrome app, so it’s not something specific to devtools. I guess in theory if you map you workspace maps to a malicious site and then you live edit your site with devtools open the site might be able to detect your edits? That’s pretty convoluted though.
We assume that information in the workspace is data for your project. I wouldn’t add /etc/passwd to a devtools workspace.