"Attack vectors" is a very interesting choice of words. Yt-dlp is literally using a public API for its intended purpose (accessing videos). The only difference is how yt-dlp is delivering the videos to the user. Probably as much of an "attack" as user-agent spoofing or using browser extensions.

But to answer your question, no, there aren't any suitable APIs (I've looked into it). They all either require JavaScript (youtube.com and the smart tv app) or require app integrity tokens (Android and iOS). Please let me know if you know something I don't?

▲

cakealert 3 days ago | parent [-]

What about the smart TVs? There have to be a lot of them, do all of them run JS?

Also what kind of environments are executing the JS? If Google begins to employ browser fingerprinting that may become relevant.

	▲	gamer191 3 days ago \| parent \| next [-]
		Youtube’s tv app is actually just a website (youtube.com/tv, although you need a tv user agent). So yeah, I think most tvs are using JavaScript and the rest are using the tvlite api which has less formats than web_safari (which will continue to work in yt-dlp without Deno if you’re willing to accept 1080p downloads with inferior codecs)
	▲	int_19h 2 days ago \| parent \| prev [-]
		They have been using the older APIs kept around for the benefit of those smart TVs for a very long time, but things move on and newer TVs get fancier hardware and more full-featured software, which includes YouTube, and so Google has started proactively dropping support.