diff --git a/index.html b/index.html
index daaf1a2..824037c 100644
--- a/index.html
+++ b/index.html
@@ -273,7 +273,7 @@
 
       <ul>
         <li><a href="https://lofi.so/learn" target="_blank">Local-first</a></li>
-        <li><a href="#security">Secure (read-only) content</a></li>
+        <li><a href="#security">Secure (read-only & scriptless) content</a></li>
         <li><a href="#deeplinking">Spatial deeplinking</a></li>
         <li><a href="#xratrest">XR at rest</a></li>
         <li><a href="#iwashing">No interop-washing</a></li>
@@ -491,7 +491,7 @@
 
       <div id="security">
         <b>Q: How important is security?</b><br>
-        <b>A:</b> It depends, The value of a digital common lies in its liquidity. If you wrap public-domain content in restrictive security layers (like heavy DRM or complex access controls), you destroy the "common" aspect. Since the content is meant to be seen and shared, there is no "secret" to protect. Attempts to ensure it isn't maliciously altered are saluted.
+        <b>A:</b> It depends, The value of a digital common lies in its liquidity. If you wrap public-domain content in restrictive security layers (like heavy DRM or complex access controls), you destroy the "common" aspect. Since the content is meant to be seen and shared, there is no "secret" to protect. Attempts to ensure it isn't maliciously altered are saluted. Scripting languages as part of the content are hypermedia-'killers' as they are a huge attack-vector (eventually turning browsers into a unuseable banking-grade security sandboxes). Open fileformats like `.gltf` and their extensions are at the safest side of the spectrum.
       </div>
 
       <hr/>