Thanks for the pointer. I had a lovely afternoon checking SitePassword. Most of the attacks don't apply because SitePassword doesn't store things like credit card numbers. It also doesn't use web-accessible-resources.
SitePassword was vulnerable to two of the opacity attacks because window.getComputedStyle() reports the opacity is 1 when it is visibly 0.5 on the page. One of them I fixed by checking ancestors (I thought that's what computedStyle did), but I'm stuck on the other one,
The problem is a popover that covers the entire page. The login form has visible opacity 0.5 even though it's not contained in the popover nor is it under it. The z-index for both is NaN. However, the popover is after the login form in the HTML.
I'm not too worried about it because the attacker has to be able to modify the page with the login form. If that's possible, there are lots of other things that can go wrong. Still, it would be nice to fix the problem.