Any we client including Matrix webclient is incredibly vulnerable to the server just injecting JS

That doesn’t preclude fediverse clients from enabling E2EE. A web-client isn’t a requirement.

Like there is no point of E2E encryption in Twitter, Musk can read your messages if you open them on any device he can execute arbitrary code on.

Agreed, nobody should trust twitter, but I would trust most mastodon clients to send encrypted messages, if/when implemented correctly. Does it guarantee that messages will never be read? No, but it does an extra layer that wasn’t there before.