It's still served by the site and I doubt most are interested or capable in auditing software to perform routine online tasks.

I am not sure there are good solutions besides going off browser.

P.S. I was involved in user authorization, attestation and privacy flows for a particular product recently and the browser was always where shit hit the fan. The web features are just not made with simplicity and privacy in mind. Then again we had more complex constraints.

There's an extension as well [1]. This means that the code is not being served by the server in this use case.

[1] https://private.sh/extension.html