You mean, unless they tamper with the Javascript to capture the password (or the derived key).

I designed a similar tool with that threat model in mind: the resulting HTML/JS is as minimal as possible so it’s possible to inspect before entering the password. Of course assumes safe browser and client machine.. https://github.com/dividuum/html-vault

Kind of possible. With enough content, would you actually spot a "}; and some highly obfuscated code in the middle of the blob? (My guess is a no)

You're right. Probably not. But at least the chance exists as there isn't a multi-KB obfuscated JS dependency somewhere that would be a lot harder to handle.

Valid if you actually host the file online. Local files are generally not allowed to make requests. Not sure if local storage methods are usable without http/s.