It's a good question! We had a similar debate on my last project. Ultimately, the backend should always handle the core encryption. The frontend doing it too is arguably defense-in-depth, but adds complexity. A simple solution for the frontend is HTTPS. Besides, after work, sometimes I just want to relax and virtually destroy planets with Solar Smash rather than debating encryption algorithms! What are some practical ways to ensure the backend's encryption is truly robust?