The future product will tunnel all the connections from the inner browser over an opaque pipe (like WebSockets) with the encryption handled by the inner browser (and using cert. pinning).

This is already possible (actually because of a related project, https://github.com/ading2210/libcurl.js/ ) which compiles... I think WolfSSL or mbedTLS and libcurl to the wasm and then uses the same TCP proxy protocol we're using here (wisp) to tunnel HTTPS over a websocket connection securely and opaquely.