One problem Nostr still has to deal with is the fact that web clients are "owned" by someone, because they rely so much on the domain name they're served from.

Everything is fine with, say, https://coracle.social/, until npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn decides to shut it down or maybe he is threatened to include some malicious code in there, most Coracle users are going to fall for that and Nostr will feel broken.

With native apps that problem isn't so big as updates aren't mandatory, automatic and invisible as in the case of web apps (although there is still a problem with malicious app stores such as Google Play, but we can't solve everything at once).

Maybe the correct way to approach this would be to treat Coracle as a subjective thing, not "whatever is on the coracle.social domain", but "this version of Coracle I use represented by this hash".

Any decent Nostr web client must be capable of running entirely on the client side, as a "static" webpage made of just HTML, JS and CSS, so it should be possible to have these files hosted on Blossom and referenced by the hash of the "index.html".

The hard part is how to get users to use not https://coracle.social/ directly, but their chosen version of Coracle, which they update voluntarily whenever npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn decides it's time to add some more spinners -- but they can also opt to not update. In fact they should be able to use any previously released version. And, most importantly, if becomes known that npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn is being blackmailed by the Mossad then someone else can release a fork of Coracle, and that fork may be chosen by most people to inherit the subjective denomination of "Coracle", such that most Coracle users will now use that and follow updates from that new source, ignoring the compromised npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn and his nefarious updates.