It's not clear to me that emailing around attached annotated word documents is any more secure than another web-based option with appropriate authentication.
That's correct, but reality strikes back: Emailing is allowed in a clinical context, installing a server or using github is not possible because then the responsibility is on the side of the IT department, and they will block any changes. Surprisingly, Email is never encrypted, and I have to fight that at least data are zip-encrypted ("Why? We never did this"). Don't ask me about the logic behind this.
But emailing word docs doesn't strike me as that bad of an option...
Frank Harrell in his RStudio talk advocated HTML documents because they support interactivity (DT, plotly), and that's lost after conversion.
The ideal would be a JS package that can be added (nicknamed AnnotDown to honor the other downs) into a report. Installing browser extensions is already difficult, because browser installations are locked in clinical context.
The bottleneck is saving the changes - creating a compound document after the edits with a desktop program could be considered too complicated - "it works with Word and PDF, why should we..."