If you’re RDPing from a malicious client, how do you know what you’re seeing is real? How do you know that your viewer didn’t show the same screen for just a little too long while the host popped up a cmd, curl, run, close, continue in the background? How do you know that closing your session isn’t “forwarding it to someone else for a bit, but they’ll close it when they’re done”? One time you start a session, verify it with your phone, waiting waiting waiting, an error occurred try again. Did it fail, or did it go to someone else?