Use separate security and privacy requirements sections or have a joint section? W3C generally treats them separately, but there are many requirements that overlap. Privacy is about information flow and access to information (especially PII), security is more general and concerned with confidentiality but also integrity, authentication, etc.
Will attempt to do two sections and see if I can work out labelling, etc.
In general - S&P G docs does not separately list "privacy threats". E.g. we don't have a "tracking" threat in the S&P G doc.
Preview | Diff