Thinking about zero-trust, zero-knowledge services, I can see how using the open-source client means E2EE is guaranteed, assuming that the community checks the code of new client releases and that the binaries are not fiddled with.
Am I right thinking that if you use a web client instead then you don’t realistically know if the code your browser is sent every time you access the service is compromised? The service may be independently audited, but isn’t it conceivable that a person of interest may be specifically sent one-off compromising code to be executed in their browser (or web wrapper)? Eg Whatsapp, Megasync and many others have optional web clients for convenience. I think this may be why Mega advises against using their web access which they describe as less secure.
You are correct. That was the death kneel of a really cool e2e encrypted chat app that came before Signal/Text secure. I can’t recall the name atm. You are relying on them wanting to avoid the reputational damage of getting caught (it would be trivial for a security researcher to compare two client apps and see the different JavaScript. Beyond that, yeah, they can serve you a compromised site one time and extract your keys.
The implication is that sending links to encrypted files with the decryption key added to the URL (eg Thunderbird Send, Mega etc) is not zero-trust. Decryption may take place locally and the key part of the URL may not be sent to the file hosting service, but when the recipient clicks on the link and is served one-off code by the web site, that code may be compromised.
As we know, the best way to be sure is to do your own separate encryption but without secure-by-design most people will think you are very odd demanding that decryption is done separately and keys are shared through a different channel. Speaking from experience, no matter how much training they are given at work, most people, including HR, would rather you sent them sensitive documents (like passport scans) in the clear as email attachments or at least in a way that involves a single click (Wetransfer etc).