The basic principle still holds: "Kerckhoff's principle is the concept that a cryptographic system should be designed to be secure, even if all its details, except for the key, are publicly known" - which seems to be happening here (caveat emptor, also this should be self-hostable).
In other words, the security still hinges on the secret key, except you're not directly using the password Secr3tKey#website.example, but its hash. If everyone used this, the password strength would still be only dependent on the secret key strength, and wouldn't provide an easier avenue to a preimage (i.e. can't find the key otherwise than bruteforce; even though the explanation has some worrying confusion between hashing and encryption). Fairly straightforward, except some opsec concerns (e.g. "domain name lapses in a few years and Evil Operator starts logging the secret keys", or "site is unavailable for initial load, even though it does work offline afterwards")
In other words, the security still hinges on the secret key, except you're not directly using the password Secr3tKey#website.example, but its hash. If everyone used this, the password strength would still be only dependent on the secret key strength, and wouldn't provide an easier avenue to a preimage (i.e. can't find the key otherwise than bruteforce; even though the explanation has some worrying confusion between hashing and encryption). Fairly straightforward, except some opsec concerns (e.g. "domain name lapses in a few years and Evil Operator starts logging the secret keys", or "site is unavailable for initial load, even though it does work offline afterwards")