you can. however, i hope they don't store it unencrypted - it's a very bad security practice for many reasons. assuming they store it encrypted with a temporary session key, the session key will necessarily be on the server. honestly, storing it on the server in a session storage is not a big deal. my original points are that a) web security is hard b) web e2ee is sort of hype on practice