it still can, just add some 3rd party javascript or unpatched backend app

How do you inject anything into a TLS served webpage as an equipment-in-between without the cert's key?

supply chain - if you put some 3rd party script link, ad, tracking or even just update dependencies to a bad version like the npm packages hack on your page, TLS won't save you if the service or dependency gets hacked

The biggest culprit is the ad network script. Whether it’s a script tag, an iframe, an image pixel, it’s basically allowing the browser to send your visit event and user agent information (or the chrome updated headers) to that 3rd party and if it’s using jsonp, can callback a function on the page to inject malware that can take over your browser. Ask me how I know.

You think that’s base64 you’re reading? Hmm. :)