For the last 6 years we are facing the same main problem which is that you CAN connect to i.e. PHP socket server from local production enviroment without the need of policy grants.
We have developed over 40 multiplayer games and I find this main issue because attacker can simply sniff packet and send it from their personal computers. During all these years we have developed many sofisticated tools to protect different protocols but this is still not covered.
"socket.connect" works perfectly without authorization and policy by publishing app with CTRL-ENTER.