"We think NIST should standardize AEGIS" because it supports plaintexts up to 2EiB instead of AES-GCM 64GiB ^3
EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 eme. The reference link is also from an implementation in Go.
It's parallelizable. And it's used in rclone for the crypt backend. A personal reason is that I'm porting rclone to Web/Deno so having a professional implementation would be much better than my own.
Seems to be abandoned
Rijndael-256. The confidentiality of AES-GCM is far below 128-bit security ^3. Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks. Rijndael to AES is what keccak is to SHA3: previous, unstandardized version. The idea is to support 256-bit blocks instead of 128-bit blocks of AES.
that would allow me to greatly simplify the dependencies in several projects I maintain, where I have to use a very heavy isomorphic-webcrypto otherwise
It's unclear if any of these algorithms are actually worth implementing in noble.