That’s it, really. Assets delivered over ic0.app are mediated by a service worker that checks that they are all certified assets before loading them.
The use case is that a malicious node responding to a query call for an asset could send a falsified response, messing with your application. A certified asset comes with a certificate that is is essentially a merkel tree, signed using our chain key consensus mechanism. That way, you can get a fast query from a single node and trust the signature, even if you don’t trust the node.
That said, the UX of the service worker is definitely slower and limiting, and the operations team is working on an alternate way to achieve the same level of trust through other means