I still don't exactly understand: "What stops an attacker from abusing the broker?" The broker is trusted and runs with higher privileges?

Neelay