Well, assuming that the front-end app is served through SSL (avoid MITM), the only other possible hole I see is physical access to the machine while the browser tab is open, no? Can other browser tabs, malware or browser plugins access memory while the app is running?