It's been a while and I don't remember the details.
All I remember is that I was developing the secret 'creator' code using Brave (my default unsecured browser) and at some point I had to switch to Safari (which I normally save for trusted websites only).
It's possible it was a red herring, and I switched browser but the problem was something else I did at the same time.
Blocking crypto on file:// is not to spec, and testing above (https://news.ycombinator.com/item?id=34084526) none of the browsers do that.