What are TURTLEDOVE protections against malicious browsers or any form of tampering with the bidding process or reporting happening in-browser?

In #20, it has been mentioned that:

each bidding script would be run by the browser in an isolated environment, where it and the publisher page cannot interact.

But it doesn't seem to cover cases where the browser is malicious / infested (browser extensions, etc.).

Since the reporting will lead to payments by the advertisers, it is paramount that they can be assured that the bidding process was conducted fairly and that the reporting is accurate.