[Remote CryptoKeys] Problem statement explains why some alternatives are bad, but doesn’t explain why non-extractable keys are not sufficient

[othermaciej]

Implementations may execute cryptographic operations in the client, potentially exposing a user’s private key to JavaScript, which makes keys vulnerable to exfiltration.

If “in the client” here means in webpage code, this is true. But since this is an extension to Web Crypto, which has non-extractable keys, it should explain why those are insufficient. It seems like key issues from our POV (besides security implementation details) are inability to access a non-extractable keys stored in e.g. IndexedDB from another device; or from a native apps on the same device. The problem statement should say that.