If you don't trust the entities that hold valid (according to your browser) TLS keys for the domain that provides the software, then you can't do anything: whoever provides the software can start providing software that does something different than you want it to do.
If you do trust any entity that holds valid TLS keys for some domain, then you can have javascript provided by that domain use normal localStorage (https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API). localStorage is bound to origin: i.e. the browser will allow code that executes in context of a page to access localStorage for that page's origin and no other (by "origin" I mean essentially the domain: https://developer.mozilla.org/en-US/docs/Glossary/Origin).