The whole value proposition is that the beefy remote machine is handling the rendering, isn't it? At least half the performance of a web page is wasted on DOM re-shuffling.
Not to mention, it's not like Chrome can run Javascript without looking at the data, and if they're not running Chrome, they'll start getting into compatibility issues.
If Mighty behaves like a full replacement for a modern web browser on my system, it will have to give the web pages I visit (opt-in) access to my GPS, camera, microphone, Bluetooth, battery information, and other peripherals, I sliding all of my mouse and keyboard input. It will have to allow me to upload or download files from the web page. Also, all my tabs are running on the same remote VM, so this only protects other systems, not my banking or JIRA.
Sure, it's the ultimate sandbox for the code itself, it probably protects me perfectly from Meltdown attacks against other programs on my main system, but I don't think that's enough to call it 'endpoint security'.
I don't have the faintest idea, but the notion of having my session cookies and credentials stored in a VM somewhere makes me very nervous and I am not even half paranoid.
So they need to figure it out otherwise it's only valid for personal use, which is not exactly the money is, imho.
Maybe some self hosted solution for corporate departments? Or waiting for an acquision from Citrix or VMWare...
How on earth would that work for their product? They need to access the data so they can render it.