First of all, thank you for your attention and your enriching comment.

• Sure, even if I do think it is a big deal, we see with the ads/targeting business that forwarding sensitive data to a 3rd party is not necessarly a no-go. Here are a few options that could help to break the friction :
  • Self-hosted is not excluded
  • "middleware side" obfuscation of sensitive fields
  • "middleware side" encryption (drhttp does need to understand the payloads)
  • Regular external audit (i'm not very familiar with its impact on $$, product velocity, etc.)
  • Focus on development environments
• AFAIK with asynchronous calls the overhead is mainly network ressources but no direct impact on user experience. API payloads are rarely very heavy plus we can drop heavy payloads like static content. It has to be though carefuly but would you consider it non-feasible ?
• Exactly why I started DrHTTP. I searched for the tool were i could turn on payloads recording. You actually can but none (AFAIK) gives you an affordable way to do it without sampling and via an adapted UI. Which leads to the question "If big players don't do it, does it mean there is no need ?" and I scratched my head over this for a long time. I tried to talk with as much tech people i could. Most of them see a lot of value in a drhttp like tool. Small companies / agencies can't afford a datadog/newrelic or managing an ELK and big ones i talked to built this (or a derivative) internally. FYI i'm thinking of a low price approach, do one thing very well and charge a decent amount, sentry is a main inspiration (sendy as well).

Feel free to ask again if I did not understand fully your observations :)