This vulnerability was analyzed during Episode 129 on 21 March 2022
Great bounty for a fairly simple bug, the showSaveFilePickerwould allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.