Then, let's say attacker installs a malicious ServiceWorker in your application
(thanks to XSS and arbitrary file upload):
Now, if you reclick the "download" button, let's see what is happening...
The malicious actor has now complete control
over the requests sent by the browser to your application,
but also to all the responses from your web application to the browser.
In short, Service Workers are total Man-In-The-Middle JS code.
Take care that this is fully persistent: even if you close the browser or
go to another page (try going to service-worker-data.txt),
then the Service Worker will still be able to alter the requests and responses!
You can remove the malicious service worker by clicking the below button: