Using a website to send confidential information is the preferred option. The use of encrypted messenger phone apps such as signals is not recommended in this context because the phone can be seized. Encrypted email traffic can also be detected. TLS traffic on the other hand is ubiquitous. Also, nothing on the client side is needed.
My impression was that the CIA had a decades-long history of wretched incompetence before there was such a thing as a web site. Obvious high-level Soviet moles overlooked for years, known-broken codes used for "our source will die if this leaks" communications, etc.