There is an enormous amount of unauditable shady crap that gets downloaded and stuffed into JavaScript apps like React when you build them. Web apps are hard to make secure, generally shouldn't trust them and not through fault of the dev.