Certain companies have been extraordinarily interested in implementing WebCrypto without mandating HTTPS. Which is to say, a man-in-the-middle attacker could trivially modify the JS that calls WebCrypto and cause different operations to be performed.
My suspicion is that they have contractual agreements with the non-technical folks in the studios that they have to "encrypt" content, and the technically-competent redistributor has no direct interest in the crypto being sound. If the API gave them 256-bit military-grade AES encryption, but only in ECB mode, they'd probably use it.
My suspicion is that they have contractual agreements with the non-technical folks in the studios that they have to "encrypt" content, and the technically-competent redistributor has no direct interest in the crypto being sound. If the API gave them 256-bit military-grade AES encryption, but only in ECB mode, they'd probably use it.