And that would give the attacker exactly what?

Yes, I can come up with scenarios where this gives an attacker exactly what they need to time some scam (or mugging) perfectly. I can just as easily come up with scenarios where the same attacker uses already available (or inferrable) information for the same purpose.

Look, many banks are perfectly fine with letting you opt into showing the account balance on their app before log-in step[0]. So why not let someone opt-in to direct access to that information? Or even opt-in to allow the app to expose this information somehow. Even in a body of a goddamn notification[1] (not disabling screenshots is too much to ask, I know, surely everyone will get hacked if this is enabled).

Paranoid mentality about cybersec is a big part of the problem - in itself, but also because it legitimizes the excuses app vendors provide to force users into their monetization funnels.

--

[0] - It's not a very useful feature, since you still need to open the app - and at that point, it's faster to log in via PIN or biometrics than to "swipe down to reveal account balance" or whatever bullshit interaction they gate access through in lieu of just showing the damn thing.

[1] - The increasingly common pattern of "let's notify user that something happened, but do not say what happened in the body of the notification" is getting infuriating. It's another way to force users to "engage" with the app, and it happens to also deny one of the few remaining ways of getting useful data from the app for purposes of end-user automation.