1) The code, for now, runs locally. This is good. To avoid the possibility of the code being tampered with at a later day (for example, it could be modified to send copies of the image to a server), download the webpage and use the saved copy, not the live copy.
2) Do not use the blur functionality. For maximum privacy, this should be removed from the app entirely. There are _a lot_ of forensic methods to reverse blur techniques.
3) Be weary of other things in the photograph that might identify someone: reflections, shadows, so on.
4) Really a subset of 2 and 3, but be aware that blocking out faces is often times not sufficient to anonymise the subject in the photo. Identifying marks like tattoos, or even something as basic as the shoes they are wearing, can be used to identify the target.
Any examples? You can't reverse it if the data is gone.
That's the problem - the data you think is gone isn't gone. High frequencies are gone.... but you left all the low frequencies, didn't you? You can read a face from the low frequencies.
How about replace each face with a "this is not a person" AI generated face, then blur+mosaic. Or just a non-person face using a deepfake system that matches the facial expression?
Don't tell people what not to do. Figure out why they're doing it, and provide what they actually want while still achieving the goals (here: security).
Very coarse mosaic, add noise, then blur seems reasonably safe, and doesn't have to look like crap.
I'd also like to know how mosaicing is reversible, since it demonstrably reduces the total available amount of information from e.g. 20x20 = 400 RGB values to a single RGB value. This is not sufficient for text where you can start brute-forcing individual options because the search space is small and inputs can be reconstructed precisely, but I'd like to see an explanation why you think this is reversible for photos (even without noise added). I'd also like to know how you want to remove random noise applied to each mosaic block.
The mosaicing is supposed to be the security step here. The blur is optional eye candy not expected to remove further information.
In particular, if you claim that a face mosaiced with a large "pixel" size (e.g. so that the typical face is 5x5 "mosaic blocks" big), you're effectively claiming that you can perform facial recognition based on noisy 5x5 pixel images.
it doesn't matter though. as I've explained, it's far easier to come up with flawed schemes than prove them insecure. just because I can't explain why your specific scheme is insecure doesn't mean it stands a chance against real cryptographers.
Hence my suggestion to reduce a face to something like 5x5 blocks.
While I'm familiar with the crypto design problem, this is not a crypto algorithm. Sure, it can't be ruled out that someone in the future will find a way to do it, but the state of the art says that 5x5 pixels are not anywhere near enough to run face recognition.
And a solution that may be broken in the future is often much better than a solution that people don't use because it doesn't meet their needs, which in this case is not having fugly black boxes in their picture.