Makes sense, it all depends on your risk profile. For most people, disabling javascript is unthinkable. The same attack vector is possible using native apos too of course. If you want perfect opsec you need to have verifiable builds etc