When you log into Card.apple.com, the whole page is just an iFrame to card-static.cdn-apple.com. Because these two URLs don’t share a TLD and things haven’t been configured correctly, Brave blocks the scripts. That results in this nice little error in the console:

Uncaught DOMException: Failed to read the ‘sessionStorage’ property from ‘Window’: Access is denied for this document.

Card.Apple.com works only if you turn off Brave’s shields. While this isn’t truly a security issue — I’m not that worried about card-static.cdn-apple.com being an unsafe source — it’s a shame that nobody at Apple caught this. It’s arguably a bigger shame that the whole thing had to be an iFrame rather than a proxy_pass (or similar) to mask the CDN domain and have it all resolve to the Apple.com TLD.

Nice use of ReactJS though, and ostensibly SvelteJS.