[e12e]

Technically Sri only reduces the amount of trusted data you need to keep around; you'd need an index.html that loads gpg.js and a js client that talks to a server (eg: jmap or a bespoke jsonapi that allows getting/sending mail).

This is pretty much what browser extensions do; bottle up some hypertext resources, signed and versioned.

You still have three obvious threats: local superuser can read application memory etc; your local user can read your memory and any browser compromise/bug can likely read your browser/session data.

The real question is if the browser sandbox is ever likely to be good enough that you don't have to worry about a font file from a compromised website about kittens reading your email in another tab.