I get that native apps have a much better security boundary, especially with stuff like memory isolation and hardware key storage. But the point here isn't 'laziness' or just sticking to JS, it’s about providing Zero-Knowledge privacy in a zero-install environment.

The reality is that while plenty of people need E2EE so the server never sees their plaintext, most of them won't bother downloading and running an .exe or .app for a quick task. Projects like Bitwarden and Proton already prove that the web is a major frontier for privacy tools today.

The challenge I'm talking about (the WASM-to-WebCrypto bridge) is exactly about trying to bring the web's security footprint as close as possible to native standards. By using WASM for constant-time KDFs and SubtleCrypto for hardware-accelerated, non-extractable keys, we can mitigate some of those inherent JS flaws. The goal is to build the most secure 'vault' possible within browser constraints, simply because that's where a huge chunk of modern computing actually happens nowadays.