The main issue is the trust base. Allow the entire code base of a site to be pinned down to a cert (and that has to be done outside the website context, ie. in-browser), and you're halfway there.
Say, a signed webapp manifest, listing all files that are supposed to be used in that context and their hashes. On first execution, the associated key is stored, maybe compared with third party knowledge about the site (not tampered with) and key (known not-trustworthy).
After that, you know when someone else than the maintainer tampered with the code.
With that you're down to trusting the maintainer. Which makes it as good as any other code distribution scheme.
Say, a signed webapp manifest, listing all files that are supposed to be used in that context and their hashes. On first execution, the associated key is stored, maybe compared with third party knowledge about the site (not tampered with) and key (known not-trustworthy).
After that, you know when someone else than the maintainer tampered with the code.
With that you're down to trusting the maintainer. Which makes it as good as any other code distribution scheme.