How does the web JS API prevent altering information in the intercomSettings object?

Hey @onno​, I can see that you've also been chatting with Sean from our Support team about this, and that he's come back to you with further context. I'm copying his response here so that other Connectors can learn from it.

"First and foremost, the team wants to make it clear that although your points are considered to be legitimate product concerns, they are unrelated to SOC2/ISO/GDPR compliance. We do not share or expose any data, even if a malicious user were to override some of the details associated with their profile. The only concern is that the integrity of the data provided is not guaranteed, but any risk would depend on how customers leverage the product to suit their needs.

With that in mind, if you do have specific concerns about the integrity of your data, the team pointed me to a specific implementation of Intercom (using Rails), which would allow you to integrate the Messenger through Encrypted Mode. With this, you can encrypt your end-user attributes prior to including it in your webpage, preventing any malicious users from tampering with the intercomSettings. They also mentioned that this is a beta feature, so there's a possibility you may have to change your implementation in future. I've also attached a document with more details on getting started if you wish to implement this 👍."