> How can the window.crypto API create and use a crypto key that's handled by the browser?
By setting extractable to false when creating the key, see https://www.w3.org/TR/WebCryptoAPI/#dfn-CryptoKey-extractabl...