That's a valid concern and the classic 'chicken and egg' problem of web-based cryptography. You effectively have to trust the delivery mechanism (the server) every time you load the page. My goal wasn't to replace GPG or Signal for high-stakes whistleblowing, but to lower the friction for ad-hoc sharing. Sometimes you just need to send a password or API key to a coworker, and the alternative is often sending it in plaintext via Slack/Email because setting up PGP is too much friction for the other party. To mitigate the trust issue as much as possible, I've kept the source minimal and readable so it can be easily audited in the 'View Source' or DevTools.