Philosophical arguments against Javscript
If you think about security models, most people are back to single user systems. Their user account on their laptop is their life. If that gets compromised, who cares about root access or not. The gold is in the guest bedroom, not the master closet. So who cares if the attacker doesn't make it to the master closet? They've already got the gold.
These days, 90% of a user's interactions with the internet or any data could be through a browser. There's no real separation between webpages. Cookies carry over. There's no OS-level sandboxing between tabs. It's very common to have documents in Google Documents, personal life in Facebook, and videos on Youtube. Then if you add in shopping, Reddit, Voat, Poal, etc, it all happens under the same field. If one page has some linked page that manages to compromise the browser, the whole person is compromised. Even if the browser is sandboxed separate from the rest of the system. I'm not saying every user puts their whole life in a browser, but most do. Even if you do "private browsing," most attacks from pages in the private window likely could easily get data out of the non-private window.
Thus I would say the security model in Qubes should probably be applied to the browser. Tabs being isolated processes. Or maybe just using different windows sandboxed from one another. I'm not saying that browser developers are morons and there's no security at all. I applaud Mozilla for Rust and the lengths most browsers go to sandbox. But, they are extremely complicated applications and that complexity simply makes holes invetiable. And unfortunately, if the browser is compromised it's not just one page, it's probably all of a user's important data. If not right away, certainly if a keylogger is put in place. Which if you own the browser, you can log keystrokes in the browser. Just wait for the passwords. Or steal the cookies and proxy through the browser to get logged in sessions where needed.
Security risks really aren't all, even though I keep harping on them. Products will tend to keep advancing in an arms race fashion up to any limits imposed. It used to be enough to show a graphic on the side of a website and sell it as an ad. Now the companies buying advertizing want to know who their ad is going to, engagement, demographics, etc. And a social media website has to be sufficiently engaging. Dopamine is being gamed to get people more and more addicted as they are the product.
Sure, there's a lot of mess in the data. You go and get a coffee and it looks like you're really focused on one thing. Or does it? You're not moving your mouse pointer. These developers are pretty bright. They know what to look out for. And while nothing is perfect, an unaware person can easily be manipulated and held captive by the dopamine they can't resist.
I wish this was fiction but it's not. Or if it's not, it's very, very close to reality.
Thanks for reading.
PS: If you like reading rants about software, this is the place to be.