Out of curiosity, why can’t Web Decker use “secure context” APIs? Is it just because they might not always be available? So far as I can tell, “secure context” includes https:// URLs (like Itch or Neocities), file:// URLs (a page saved locally to use offline) and http://localhost URLs (if you’re developing a website and testing it locally before uploading it). That’s not everywhere, but I imagine it’s most of the places people would try to use Decker.
Different browsers have inconsistent behavior regarding file:// and localhost-served lone pages; in many cases a user would need a local webserver and a self-signed ssl certificate. It's a very frustrating foot-gun that's especially difficult and confusing for people who aren't already steeped in web development.