Put state, auth, or private data behind Workers + D1 / DO / KV — not in static education HTML. Every new Worker must appear in the allowlist and pass security:check.
A future E3 portal (progress, optional cohort) would be gated the same way as passkey flows: policy first, then implementation.