Not having any isolation between games seems like a massive security/privacy issue unless I’m seriously misunderstanding the situation.
- Any game or its analytics/ads could essentially see a list of every other game a user has played that saved anything locally. This seems especially serious since itch.io hosts a lot of NSFW games as well as games geared towards marginalized groups.
- A troll could upload a game that messes with or deletes saves from other games. I know the public listings are moderated, but itch.io is often used for game jams where people share direct links to games that haven’t been checked yet, which bypasses moderation. Even an unintentional bug in one game could wipe saves from others.
- Some of the game-making tools at https://itch.io/tools/platform-web run in the browser and also save to local storage. This means that a malicious game/tool could steal someone’s works in progress, or private games they are making for themselves and don’t intend to share, if they use any of those tools.
- the user granting any permission (location services, camera, microphone, notifications, etc) to one game would grant that permission to all games
Don’t believe me? It’s right there in the OWASP cheat sheet: “ Avoid hosting multiple applications on the same origin, all of them would share the same localStorage object, use different subdomains instead.”