We don’t know the attackers angle, they are very creative.
I like to think about it in the most general terms, think about it like this,
What are the highest value screens in the application?
What are the highest risk screens in the application?
What are the most trusted and interacted screen in the application?
Now, how can we de-risk those screens, prevent trust-transitivity of those screens whilst ensuring they retain their value as high as possible?
You’re right. Now I ask you, why can’t this be part of the attackers angle?
Think like an attacker. Hell, think like a marketer or sales guy.
If I replicate the screens the user trusts and get compliance, then they are more likely to comply on the following screens. Just like in face to face sales or any landing page flow. You want people to say yes to these to create a micro confirmation bias, if I can get you to enter in your password in an official looking screen, then I’m more likely to have your trust to enter your passphrase. Even the Status application itself does a flow similar to this on account recovery.
You must be new to crypto. Passphrase stealing happens by scammers all the time, especially in bull markets, in regular browsers no less.
So to make the assumption that a user doesn’t care, the solution is to cater to braindead users by removing a defense for users who do care about their transaction security? I don’t think we should cater to the lowest common denominator user when it comes to security.
People don’t read, and they certainly don’t remember. Why would a user who doesn’t care to read in the first place read this, and then worse, remember it? Unless you imagine this popping up everytime…
in which case the anti-phishing feature of the transaction signing screen is a continual reminder to be vigilant, is functionally useful and is less verbose than a 2 sentence paragraph.