> Web broswer communicating with a Rust local server: too much hacky, insecure? (DNS rebinding attacks) and does not support native features like tray icons.
You should not discount this, Golang solutions like lorca  do just fine with this using devtools proto for comm (systray can be a separate lib). DNS rebinding attacks are just a host header check away from mitigated. At the least, check out webview  (and its in-dev successor impl ) for not requiring Chrome and having more direct control.
Also, you should look at CEF which ships with Chromium bundled (it's not too huge) and has a C-FFI easily consumable from Rust. I have used this approach with success.
0 - https://github.com/zserge/lorca
1 - https://github.com/zserge/webview
2 - https://github.com/zserge/webview/tree/webview-x