I wonder if the privacy threat model includes being able to prove that you used incognito mode at all, when, or how much. I can imagine all sorts of leaks in that regard (how many incognito disk files were created, size/ctime/mtime, system logging, indexes etc). None of these would require physical access to the machine at the time of incognito browsing, just subsequently.

Might seem like an incidental concern, but being able to vacuum up a pattern of incognito sessions from a seized laptop (at a border crossing, say) and correlate it with the activity of an online pseudonym could be pretty useful.

You could encrypt both the regular one and the incognito one, with the only difference being that you persist the key for the regular one.

> "You can't allow for bytes to sit around on disk in case of crash."

Just check periodically (at startup?) for orphaned temporary storage data. I'm sure there are other parts of the browser that need to do this sort of thing anyway - expired cache data, for example.

Sure, but those are a different use case.

Why not just use a temporary file system like /tmp?

EDIT: I suppose these are often backed by memory anyway, so not sure if this would solve the problem, but interested in hearing arguments around it nonetheless.

Because there is zero guarantee /tmp gets cleared regularly, if ever.

But that onus is on the OS, not the browser.

Exactly? The browser shouldn't depend on the OS to DTRT.

Firefox will cache videos from sites like YouTube in /tmp last I checked.

On the surface this sounds like a good approach. The overhead of encryption should be very consistent and get buried in general file-system latency.