Yes.
This is what is happening on my #nostr #safebox project- signed JSON events for inter-app communication, https/JSON/API for web app client only.
Discussion
Can you explain to me how web apps, e.g. wallets, secure data in encrypted enclaves within the browser. Recently I realized that I didn't understand this nearly as well as I should.
The web app stores an encrypted session cookie on the browser. Only the app server can decrypt. The browser can't do anything with it.