This is what the webext-signed-pages [1] extension does. This only works in a secure manner with Firefox though because Chrome extensions don't have access to the content of the HTTP responses [2].
> If you want your app to be fully end-to-end, you can use the lower level
> unlock mechanisms, which are all end-to-end compliant
So if I want to use the SDK in a "fully" end-to-end secure way, I first need to implement by myself a secure way to transmit the user root secret (the unlock key) between the user's devices, and make sure this key is always accessible so that users don't loose access to their data. This doesn't seem like an easy task...
No, the unlock key is for the user to keep, and never be transmitted by anyone else than the user themselves. If you do the transmission, it's not end to end anymore.
This option is only for users concerned about security, the other unlock methods are less strong but still provide security.
This is actually one of the described use cases of the new webpackage specification: https://tools.ietf.org/html/draft-yasskin-webpackage-use-cas...
Here is the current draft: https://wicg.github.io/webpackage/draft-yasskin-dispatch-web...