moving to a bff pattern isnt just about hiding tokens, its about reducing the client attack surface entirely. shifting api orchestration and sanitization to edge proxies makes so much more sense. the browser should just be a dumb terminal rendering ui, not a secure vault managing state and credentials