One possible option might be to use e.g. an AES cipher to encrypt the communication (which could then continue working over HTTPS). You would need to pre-share a key, but that could be well automated, I think.
It could then work like this:
- the user installs the web clipper extension and clicks 'connect to Joplin'
- Joplin displays a popup, something to the effect of 'attempted connection to Web Clipper endpoint, do you want to allow it?'
- The user clicks 'yes'. A random encryption key is generated (unique per extension instance) and stored in both Joplin and the Clipper extension.
Then when using:
- Endpoint only accepts encrypted connections. When a connection is made, Joplin tries the saved passwords to decrypt the contents; if it succeeds, good, it's from an pre-approved connection. If it fails, discard the message entirely.
I think there are benefits to an approach such as this one: there is some action the user needs to take, but it's basically just two clicks. And any specific key can be revoked (and thus the access channel blocked) if some foul play in suspected.
One obvious flaw is the key sharing: if some network logger were present in the instance of the first (and only) key transmit, or if it could later be dug out from the filesystem, everything is compromised. But I do think this is negligible (i.e. I'd risk it with no care) and the other attack vectors probably are much more probable. (i.e. if you already have a keylogger on your PC, you have far bigger problems than too many spam notes in Joplin; however, you might not want to expose Joplin to port scans and spam at a later time, which is the more likely scenario, anyway.)
Disclaimer: this is just an idea off the top of my head and I'm no security expert. Maybe it's dumb and I'm dumb for thinking it. 
