It could be a honeypot. While this likely won’t be the case, if you connect to a website and download directly from there, depending on your browser and os, general privavy and anonymity, they might be able to fingerprint you. Check against some other databases from sites that you visited today that have your real name and you’re bust. Unlikely, but possible.
If the website gets shut down because of suspicion of malicious activity and they intentified visitors, again, through a fingerprint or similar, it’s beasically the same as a honeypot.
So basically, the complexity of modern web browsing is the general issue. How do you circumvent this? Ideally you don’t. Just use a torrent with a p2p VPN in a secure and anonymous manner and you don’t even have to worry about your Javascript canvas.