I have created an electron app to simulate magecart entirely client side (so not a true reflection).
It's at https://github.com/kempy007/magecart-shim
Does anyone know of any techniques that could mitigate this risk?
However I don't feel it would be possible to prevent a script coming from client side from scraping the data, what the owasp article mentions would all be server side control.
The best answer to mitigate this threat is to implement content security policy headers.