Great idea. Wanted to point out that a relatively easy solution to the phishing attack brought up several times in the discussion (where an adversary intercepts the file and creates a fake one that exfiltrates the key) is to temporarily disconnect from the internet when decrypting, and to do so in an incognito window and close it right after. So short for a 0-day browser hack, you'd be safe.

Perhaps you can add this as optional instructions to the decryption page.