[hdhzy]

> The webcrypto api also can't stop the server from sending malicious javascript to a user which when run uses the webcrypto key to decrypt the user's data and send it back to the server.

Yes, but virtually nothing protects against proxying requests. Non-exportable keys protect against using them when the device is powered off.

> Also, if the server is malicious on the first connection, then the server could just not use the webcrypto api to begin with, and just make use a key that the server knows instead.

Agreed, but it's kind of like Trust On First Use. I guess it depends on one's trust model if they consider it a good trade-off.