Hello,

The assumption must be made that the content one loads up to Onshape is unsecured, their TOS is clear that the user is responsible for security of their content and they've indemnified themselves of liability in this regard.

The fact is that browser security is broken, and has been for a long time. I'd also question the inherent risk in that scenario of making sure projects are not accidentally marked public, which really would be a bad day for everyone involved. One must assume that if they are using a cloud service there is no expectation of privacy and security of their content.

The other thing to consider is the amount of potentially valuable IP in one spot. It would be easier to compromise that one location and it's content than thousands of endpoints with a variety of security mechanisms. Even if your content isn't specifically targeted your content may be swept up in the dragnet if someone decides to steal the bulk content and pick through it for bits that can be monetized.

I'm not trying to knock the functionality, it's a nifty piece of tech they've built, just some things to consider.