@alexc.id Outside of the sanboxing issues when acquiring updates, which is an older one, which I do not know the status of that one, there was a bug exposed that enabled remote code execution, that affected Skype, Shopify, Slack, among others.
Host-rules were absent from the blacklist. With this flag, one may specify a set of rules to rewrite domain names for requests issued by "libchroumiumcontent.” This enabled a man in the middle attack for Electron on Windows.
Edit: The man in the middle attack enabled siphoning of information from the application, as well as remote code execution.
This issue was patched in late May of this year. This was a patch to a flawed security patch in January. This is an immediate release to the vulnerability. The electron community is still waiting on a more resilient version of this patch that is something other than a blacklist.
I am aware of other issues related to webview and enabling node.js within the Electron sandbox, as well as sandbox escaping, but not the details. For now, avoiding these vulnerabilities are up to self directed developers to educate and learn on how to code around these issues.
On other platforms besides Windows, I think you can do enough research to avoid most of the known pitfalls, and thus I think there may be a possibility to work with Electron in the future.
it is general practice in the industry at this point that development teams are expected to perform their own due diligence on how to avoid security pitfalls that come out of the box with Electron and code around them. This presents another layer of time investment and learning curves related to security that is not what is supposedly required to develop in Electron.