You could get rid of the need for the browser completely just by publishing an OpenAPI spec for the API your frontend calls. Why introduce this and add a massive dependency on a browser with a JavaScript engine and all the security nightmares that comes with?

Because the nightmares associated with having an API, authentication, database, persistent server etc. are worse. If all you have is an SPA you shouldn't be forced to set up an API just to be called by an LLM.