You always put trust in the vendor even if they use e2ee because the end clients are made by them.

They can just send things without e2ee from any of their clients (not just web).

> This type of attack could be targeted at the behest of authorities.

No? How can authorities tell them how to do their business?