I’m working on a little secure notes app, think along the lines of StandardNotes/Notesnook, as is client side encryption/zero-knowledge server. I’m an experienced web dev but newb at crypto (at least in this regard). I’m trying to weigh the pros/cons of just sticking with browser native WebCrypto using PBKDF2/sha256 for key derivation + AES-GCM for encryption, vs. using like libsodium-wrapper supplied Argon2id key derivation and XChaCha20-Poly1305 for encryption.
The pros to sticking with WebCrypto is obviously no extra dependencies and libsodium doesn’t have great JavaScript docs so easier for me to mess up implementation. The downside is that PBKDF2 isn’t memory-hard like Argon2id so in the event of a leak it is less resistant to brute force via a GPU.
Is that all accurate and if so, is determining if the WebCrypto implementation is “good enough” a matter of choosing my threat models, and in the threat of a leaked dataset and a sufficiently motivated GPU based attack it would be “probably not good enough”.