[gefhfffh]

I wonder how you would build an encrypted messenger like like Element (app.element.io) without SPA style.

I think it's not even possible, since you are required to process incoming messages client side and must not send any private keys to the server.

[Nextgrid]

This is irrelevant in practice because the SPA's code is also loaded from the server - if the server is malicious it'll just serve you backdoored JS, unless you load from a separate domain and have the main server allow cross-origin requests.

If you want to defend against a malicious server you need to make sure your client doesn't load & execute code from said server - it needs to be distributed as a stand-alone application instead of in a browser.

[gefhfffh]

> unless you load from a separate domain

Which is the case... app.element.io doesn't host a Matrix server. Servers are completely independent of that.