You'll find the web gets accurate acceleration (x,y,z) value of device.
So our phone's accelerometer (and maybe gyro) data can be read via JS and leaked to web server。
When was this "feature" applied by w3c? I am shocked that "feature" is defaultly enabled on our phones. I also tested these mobile browsers who claim to be privacy-aware, to see if they prevent JS from reading acceleration:
Firefox Klar (fail)
Duckduckgo Privacy Browser (fail)
Privacy Browser (success)
Most mobile browser developers fail to protect sensor data.