What exactly is the issue with permanent storage? The idea with certificates is that the private key stays put.
When you want to use another browser or reinstall one, just re-enroll the new one. Ten one time recovery keys act as an alternative second factor, just like it's commonly done now.
I'm not saying there aren't any tradeoffs at all, but in my opinion they're minor when compared to OTPs, SMS or Yubikeys. Not nearly enough downsides to explain why no major services supports client certs.
When you want to use another browser or reinstall one, just re-enroll the new one. Ten one time recovery keys act as an alternative second factor, just like it's commonly done now.
I'm not saying there aren't any tradeoffs at all, but in my opinion they're minor when compared to OTPs, SMS or Yubikeys. Not nearly enough downsides to explain why no major services supports client certs.