Secondly, the security code needs to hook onto every possible JS API for DOM manipulation, local or remote/network I/O, local IPC, etc. At this point, the security code is running in asynchronous blocking mode, stalling the loading of any subsequent resources on that page. Nothing else runs or loads until this hooking is complete, effectively making this process a single point of failure (SPOF). A SPOF makes it all too easy for your whole website to go down, with devastating consequences for your revenue and reputation.
To make matters worse, the state of JS APIs across browsers is a complete mess given the number of APIs, the lack of support across the board, and the need for browser-specific code. And researchers have found that just the hooking operation alone adds an overhead of 8%.