Zero-trust services and web access

Thinking about zero-trust, zero-knowledge services, I can see how using the open-source client means E2EE is guaranteed, assuming that the community checks the code of new client releases and that the binaries are not fiddled with.

Am I right thinking that if you use a web client instead then you don't realistically know if the code your browser is sent every time you access the service is compromised? The service may be independently audited, but isn't it conceivable that a person of interest may be specifically sent one-off compromising code to be executed in their browser (or web wrapper)? Eg Whatsapp, Megasync and many others have optional web clients for convenience. I think this may be why Mega advises against using their web access which they describe as less secure.