Device theft/loss — OS keychain/keystore, encryption at rest,
biometric lock
Network interception — TLS, certificate pinning
Prompt-injection exfiltration — the outbound guard limits what can ever be
sent; sanitize retrieved content
Model provider leakage — BAA, zero-retention settings, send
minimum-necessary
Re-identification via leaked variants — don't transmit the sequence
Logging itself is a threat surface — never log PHI; log ids and metadata only.