[tonyarkles]

From an encryption point of view though, they're relatively useless. Said three-letter agency now doesn't need to block the app, they can instead MITM the traffic to it or compel the organization to inject additional client-side or server-side code to complete the backdoor.

Certificate pinning helps against the MITM problem, but code integrity for downloaded client-side code is pretty tricky. Browsers could add some form of signed code pinning for power users, but it'd be tricky to be able to distinguish between legitimate updates and nefarious activity.