True, but at that point, every website I’ll ever visit and have visited in the past might be a threat, so that doesn’t really matter too much to me.

I’ve got several hits, but none of them have permission to request my location. If I understand the README correctly, that should mean I’m safe, right?

Late reply, but for me personally, I started doing it because my Keepass database is already accessed using two factors (password and key file). Therefore, I’d gain very little by keeping the second factor of those sites external - essentially, those second factors are compounded into the second factor for the database.