I am a pretty cookie cutter developer. We just make glorified CRUDs and I have tried to convince the engineering director hundreds of times that "There is no use of encrypting and decrypting localstorage with a key thats sitting right inside the client code." Yet they keep insisting on it in the code-quality checklist.
My guess - he’s avoiding political risk. If something goes bad, it’s better to say “it was encrypted but they got the keys” than to defend data wasn’t encrypted.
It’s semantics in terms of actual difference to an attacker, but it’s a world of difference when explaining to executives.
I guess they think it results in some kind of security by obscurity... Maybe ward off lazy beginner hackers..