The updating part reminds me of the research of my friend: "WAIT: Protecting the Integrity of Web Applications with Binary-Equivalent Transparency" (https://arxiv.org/abs/2104.06136) where they attempted to get web projects closer to the integrity guarantees of a desktop application. It doesn't fix the issue completely, because updateability is an attack vector for desktop applications as well, but i remember it being pretty cool and a nice step in that direction.