There's a lot of security issues in the architecture you described above:
There are other ways to do this stuff safely, although I don't envy your situation.
In a lot of cases focusing on security isn't possible: maybe it's due to a very bad team dynamic (like back-end developers not wanting to work with you), maybe it's due to legacy issues -- but whatever it is, it isn't always feasible.
I like to keep things simple and try to focus on security for apps that require it -- and in these cases I just do the most basic straightforward thing possible.
If you ever find yourself using encryption tools manually (especially in JS) you may want to re-evaluate your goals and see if there's something simpler you can do.
I didn't really have a choice. The users wanted the SPA to be fast, my bosses wanted it to be secure, and the backend engineer was unwilling to address his performance issues. I had to compromise a bit.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.