> Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre,

Keeping a private keep on the client to sign your activity is a fundamental cryptography practice.

If you use a private key to sign your emails or git commits, it’s not security theater.

If you were to have to upload your private key to GitHub or your email provider, that would be severity theater.

> Is author new at the whole web thing?

Unnecessarily mean comment.