Looking at the commit, I am wondering if there is still a vulnerability in sending error messages. What if the malicious server DOS'd the client by sending an extremely long error message crashing the client when it tries to render it. This also doesn't stop a simple plaintext message that has a phishing message like "Your machine has been hacked and your keys have been compromised, please transfer x BTC to y address within 5 minutes to prevent your private keys from being immediately drained".
Yea, only allowing servers to send a naked error code matched against a list of preloaded human-readable strings on the clients seems to be the only option that's actually social-engineering proof.
If custom error messages are really needed, you could allow them as a special option while making it obvious through the client UI that this is sent from an untrusted source (field hidden by default, warning displayed when full error message is expanded).
The safest option now is just to consider Electrum as insecure by default. Same with Ethereum's Parity desktop and Metamask. They're convenient for day to day use but don't trust them with big amounts.
