1) To provide data sharing securely, Mylar uses the principal
graph. Why does Mylar need a *graph* of principals -- why can't it
use a flat data structure, consisting of a list of principals for
every data item?

2) If an attacker can inject malicious Javascript in a client's
browser from a compromised server, the attacker can steal the user's
keys. How does Mylar prevent against such script injection? After all,
the code comes from the server and the server can get compromised.