If it's worth saying, but not worth its own post (even in Discussion), then it goes here.
If the attacker can run code on your device, a keylogger is a much simpler solution.
Not if it's sandboxed, but then timing and other side-channel attacks are still easier than using the mike.
If it's worth saying, but not worth its own post (even in Discussion), then it goes here.