Question: Why is the frappe object accessible globally within the browser environment?

I’m curious about the role of client-side scripting in ERPNext and Frappe applications. I’ve noticed that the frappe object is accessible globally within the browser environment, which seems to raise security concerns. Can you help me understand the purpose of client-side scripting in these applications and why the frappe object is exposed in such a manner?

Any insights, resources, or best practices related to this topic would be greatly appreciated!

the frappe object is there to allow client side scripts, which are used for easy customization, like adding extra lookups to fill default fields

any operation to the server is called through the API so it uses the current user credentials, there are no security concerns