> if the server operator was malicious, they could just push different client-side JavaScript

Same as with OS updates, browser updates, dependencies used by the OS, dependencies used by the browser. Also you can run malicious software such as keyloggers and you're compromised.

That argument doesn't mean E2E (even web based) is snake oil. Browsers just give you more points of failure.

Agree, but a significant point missed in the article is that of data vulnerability. with E2EE the company db is useless to an external attacker.

For some companies (eg facebook, google, tiktok) i would be mostly worried about the company itself being untrustworthy. For others I would be mostly worried about the company being vulnerable.

It's a native app what are you talking about