That's just a misunderstanding of the threat model. It's like saying "if someone can just mitm TLS it's pointless" when that "someone" is in the position to run arbitrary code on the client. Mitigations map to specific attacker positions.