Even if that is done, there has to be verification for absence of security vulnerabilities in the app itself, because if data can trigger code execution, you're done. It's much easier to manipulate its own data for the web service itself than for other parties trying to exploit XSS vulnerability.

In other words, you must ensure that the frontend treats the entire backend as a hostile actor, not just the code it serves, but also the data.

Not all web frontends are written like that; many serve HTML snippets that get pasted into the DOM unchecked, instead of passing JSON data and rendering on the client side. You can sign the static frontend code all you want, and you're still owned by the service itself in this case.