You can never trust the client, whether the client is a web browser or a mobile device. The client can always be corrupted and altered in an attempt to compromise transactions.
To me this means that I put my business logic and verification on the server. With the server I can lock down access and I have a higher confidence that my code has not been corrupted.
With this in mind, I don’t see how the web can be a “first-class citizen”. Web clients should always be treated as untrusted partners who may have been corrupted.
Web security is really, really hard. The more a client application diverges from the purpose of presentation, interaction and visualization, the more chance there is that it will be compromised.