There's implementations where it would work, be effective, or be both.
It all depends on what the key material is protected with at that point. If it's something provided client side and is transmitted securely, and used blindly, then it would work. Anything short of that would probably trigger my curiosity.
Edit: This kind of statement also needs to b prepended with who you're trying to protect yourself from, because that entirely changes the game.
Edit: There's also key exchange (and derivation) that could happen and impact the effectiveness of this process.
If the client is entirely in the browser, it doesn't particularly matter if they give you some keys to scan. You don't know what it's actually doing, or how the keys are generated.
It all depends on what the key material is protected with at that point. If it's something provided client side and is transmitted securely, and used blindly, then it would work. Anything short of that would probably trigger my curiosity.
Edit: This kind of statement also needs to b prepended with who you're trying to protect yourself from, because that entirely changes the game.
Edit: There's also key exchange (and derivation) that could happen and impact the effectiveness of this process.