No browser that I've seen comparing itself to arc really does this. I downloaded zen and looked at it for like 30 seconds and it doesn't look like it does this either.

also i would propose that you should spend $100 on advertising (including cost of time reaching out to people etc) to generate $100.10 in profit(not revenue) if the return comes fast enough. you can estimate the opportunity cost of spending that money by seeing what interest rate somebody would loan you money for, if that .10% ROI is more than the interest rate on the money, then it's worth doing, even though it's only $0.10. then if you do need to do something else with the money you can take out that loan. I guess it might be harder to calculate opportunity cost of your employees time since it might take a while to hire more employees, but you can estimate that based on their hourly salary. also hard to calculate opportunity cost of your brand reputation from doing more advertising. and yeah hard to calculate opportunity cost of your own time but you can just estimate a hourly rate and good enough. most of the math is clear though and companies go on that. (disclaimer: i am not an expert on any of this)

it takes the form of a browser extension the user downloads that will tell the user if the javascript code is what it is expected to be. it checks this by verifying the code's expected hash with an endpoint hosted by Cloudflare. Whatsapp can publish new versions to Cloudflare but they can't modify them.

In this case it makes it so that you are trusting Cloudflare instead of just WhatsApp, but (as an amateur), I don't see why this couldn't be adapted into a standard that works with something like a blockchain or certificate authorities (or even something like a git host to go along with public source code auditing?). I think something like this should become a standard and be built into browsers, but currently not a lot of companies are using any solution at all.

The only other implementation of a solution to this that I found, which I think is pretty similar, is Etesync's pgp signed webpages library + browser extension (https://stosb.com/blog/signed-web-pages/), which allows the developer to PGP sign web pages so you know the code has not been modified by a malicious server without the developers approval. So maybe you can use that in your project I guess, or there are probably some other solutions that I haven't found

I think this problem might be called "Code Verification" in cryptography, if you want to look more into it

Versus if you use a library or platform (like Web Components) that cares a lot about backwards-compatibility, they will maintain the security while also supporting your old code for longer.

Is it that he is essentially valuing their time less than his and therefore not viewing them as equals? could someone who feels more strongly try to put their finger on whats so off-putting?