TLS for browser communication should work great; if the website can't control its scripts, then there's no reason to trust its execution anyway. The main problem space, in my opinion, is encryption support between your service and the Matrix server, as messages get stored long-term in that space, which comes with possible privacy risks. Your solution would probably mitigate that problem perfectly!