Comment by pabs3

Static means something different in the context of trust on the web. An entirely static page without JS means you can reason about the page, know it will still work if saved locally etc. A static HTML that loads JS could do anything, like reporting your access to Google, or blocking your viewing if the date is April 1st or whatever, or breaking if it gets saved to archive.org.

File hashes only indicate the file and or hash weren't modified in transit, you can't know which party created the hash, and whether to trust that party, since they aren't authenticated from developer to browser, only from the server to the browser. Even if there were end-to-end authentication and there were a web of trust that could be used for authenticating developer keys, you can't trust code without auditing it, and you can't audit JS on most sites, because it is almost always minified/obfuscated or huge.

I expect it is unlikely Mastodon would care about JS hashes, because they are delivered by the instances rather than a CDN, and each instance can run a different version of the code, and each instance can modify the code as they please.

As above, many/most sites work fine, or much better without JS. The ones that don't can be dealt with using external tools like yt-dlp gallery-dl zygolophodon etc.