In general, all dApps should ship with un-obfuscated source code. The benefits of minimization/obfuscation in terms of performance are minimal if your web server is gzipping (which it should be) and IMO aren't worth the security repercussions of end-users being unable to quickly/easily validate what is happening.

At the least, source map links should be included and along with the minified source and those source maps should link to publicly available files that modern browsers can pull down.

Also, the source should not be bundled. With HTTP/2 the benefits of bundling are fairly minor and it tends to add yet another layer of obscurity to someone trying to read the source code of the page they are interacting with, and also makes it difficult to validate the page against the claimed source code on GitHub (or wherever).

I disagree; if the security model of your app requires individual readers to read and understand the source code, and you have no way to determine when the source code has changed, your security model is fundamentally broken and will never work for the majority of users.

It should not matter what the dapp does in your browser; all that matters is what it submits to the chain, for which we do need better tools to aid user understanding.