Super interesting! Thanks for writing!
So, if you use an outside service for payment processing (like spotify for example) are you suggesting they use SRI link for that script? Or to avoid using outside services at all?

I guess this line isn't clear to me:

But how much easier is it for an attacker to subtly change their JavaScript than to hack their entire mainframe?