“…The majority of the work (i.e., 11 out of 16) [30], [31], [32], [33], [34], [35], [36], [37], [38], [39], [40] assume blackbox attacks and the rest consider white-box attacks [41], GAN-based attacks [42], fault injection attacks [43], [44], and membership inference scenarios [45]. A typical assumption is that adversaries have complete access to the rich OS.…”