EA here. Can help with cloud / distribution / devops.
If its "all local plain files" (btw that's good for "store it all offline") then the attack vector changes from MITM to corrupting the file sources. So we'd want a way for original file owner to verify/checksum the distribution source, and the downloader to verify/checksum his copy.
>>2352520 Certificate can come from LetsEncrypt.org. Also it's free. I use this for some of my sites already.