How about client seeds being leaked? a web html page need just some scripts to do so
As OP said, when the "server secret seed" can be "manipulated" as much as wanted, that's don't give any real insurance there
The client seed isn't something that needs to be kept hidden from either party. As soon as you set it, the casino knows what it is.
What of creating an external open source tool to secure the randomization provided, even if it bet very well-known, casinos would be forced in some way to adopt it !
It can be provided from an external server so no need of adding module or extension from the client side
Sha-256 provides all the 'randomness' needed I think.