AlBugdy and the person you are replying to are literally right re: server delivered backdoors. Using E2EE applications in a browser moves the trust back from the client to the server.

https://news.ycombinator.com/item?id=47664103

> That isn't how any of this works. The main value proposition of Signal is that we do trust its end-to-end encryption. Protonmail sending a "web page" that "leaks your key"? WTF?

Yes and it's that you also trust the client, with a server that dynamically delivers code you have no way of knowing fully what payload it's sending you. An example of this vulnerability was discussed when it was pointed out that 1P, Bitwarden and others were susceptible to server side backdoors if used from the web in that research study that came out last month that was posted here.

> And no, mobile apps are not really sandboxed, they have full access to your mobile device once you install it and give it access - and let's be real, most people are just going to blindly click "allow" for anything the app requests after installing an app.

This is genuinely just not true, even if you click allow for all permissions on Android and iOS. An application on a non-rooted device doesn't have "full access."