

A page could load thousands of images and thousands of tiny CSS files.
None of that is JS, all of that is loads of extra requests.
Never mind WASM. It’s a portable compiled binary that runs on the browser. Code that in c#, rust, python, whatever.
So no, JS is not the only way to poorly implement API requests.
Besides, http/2 has connection reuse. If the IP and the TLS cert authority is the same, additional API/file etc requests will happen over the established TLS connection, reducing the overhead of establishing a secure connection.
Your dislike is of badly made websites and the prevalence of the browser being a common execution framework, and is wrongly directed at JS.
My experience of checksums are in things like serial where they can potentially recover a corrupt bit.
I presume in the case of encryption, a checksum is more of a hash of the raw data? Like a one-way deterministic compute. Easy to get a hash of data, extremely difficult to get data from a hash.
In which case, it’s fine. Passwords are hashed (granted, multiple times), but a cryptographically secure hash is not to be underestimated.