A mobile client may store agent prompts, repository paths, diffs, command output, and downloaded artifacts. Protecting the live app sandbox is not enough if those files enter a device cloud backup you did not include in the threat model.

Start with a data inventory.

Data

Needed offline?

Backup allowed?