Everyone understands the benefit of pervasive HTTPS. But it seems odd when you realize it only secures a direct connection to the least trusted server-side component -- the frontend web server.

Is there a standard web framework or design pattern for encrypting data at the client that is intended for consumption by a backend system (as opposed to the frontend)?

You can use Web Crypto with public key to encrypt data in browser, then use private key in backend system to decrypt it. If frontend system is compromised, won’t have private key, but attacker could subvert web page and cause browser to send in plaintext.

So yeah, heh... 1) You _have_ to trust the frontend because it's entirely in control of the content being served. 2) Frontends are universally horrible.