You don’t seem to care about protecting the user.

In a secure environment for the user why the f should the only option be to trust a server to choose which file to send based on the user-agent-reported ID?

The user-agent knows its own ID and can request the static file of its choice from the network. Vetted static Javascript running in the static website can do that.

You are so whipped by the Web’s inversion of power, that you can’t even seriously consider that alternative when writing your post.

You say it’s too hard for every person to vet static JS bundles and verify that they have no instructions to phone home or otherwise mess with you. Well, that’s why there are third party auditing companies, they can just sign and publicly post approvals of specific bundle hashes, that your browser can then check and make sure at least 2 reputable audits approved that version. Just like it does for chains of certificates when loading a site. In fact, you are currently sleepwalkinf into learned helplessness by AI models hosted by others, the same way.

At least the HN crowd drew the line at Web Environment Integrity by Google. It’s like you are an enthusiastic defender of mild slavery but oppose beating and killing the slaves.