Correct MIDDLERUN. Also, a bad guy COULD put a phony website..etc..you mean like now anyway.?? Not to mention any secure or authentication methods set up between user/device to vendor/site. I guess an inside job maybe to register subdomains? That would be or could be going on now anyway. Are we missing something here? I'm not that smart but I can't see a big issue here other than some simple retraining maybe? Thoughts?
I work at a web development agency, and there is literally no reason to be upset/concerned about the removal of "www" and "m." because they ARE trivial. Most users don't type "www" anymore, and any developer worth their salt will set up a force redirect to send those users to the full TLD with the "www" at the beginning.
Also, anyone saying that the same URL with/without the "www" is not the same site is straight-up wrong. (Having said that, if the above forced redirect isn't implemented, you might get a page not found error, but there's no way you're going to see two different sites.)
Having said all of THAT, the only concern people are raising that MIGHT be worth discussion is if Google is indeed planning on sending everything through AMP - even if there are no indications that is forthcoming.