Because it is impossible to achieve, by design of the web, without trusting your server or installing something on your machine.

Let's say your encryption application comes from your server. If you have to trust your server anyway, why make a huge effort to try to put it into the web browser?

You can't tell your web server, as it controls what you see in your web browser, won't just make the web page transmit an unencrypted version of whatever message you are reading or authoring, somewhere you wouldn't want it to go. So the browser silently allows the server administrator to watch over your messaging. You MUST trust your server. It's inevitable.

The entire architecture of HTML and Javascript is intended to be so flexible, that you cannot ensure the safety of crypto operations. The existence of plenty of dedicated crypto APIs and libraries does not solve this chicken/egg issue of trust: A web server can make it look like everything is fine and you can't tell something is going on behind your back.

Even the developers of Javascript crypto solutions admit it themselves, that their tools are only useful if the server is trustworthy: "A person getting access to your server can modify Javascript code and public key of the receiver."

There's also the possibility for a man in the middle to insert malicious Javascript designed to redirect copies of your unencrypted messages elsewhere. Maybe even your passwords and private keys, so he only needs to do this once. Thanks to the complete unreliability of the X.509 certification infrastructure it is only a question of money for a man in the middle to view or modify anything you send or receive over HTTPS.

A web browser just isn't suited for 100% private communications as it is built to do what the web server tells it to.