From the Glossary: This definition is vague on the notions of protection domain and platform. We exploit that vagueness here. This paper: The Security Architecture of the Chromium Browser describes the Chrome browser as providing two protection domains, the web and the user’s machine. Vulnerabilities in the web savvy browser code will not, by them selves, lead to abusing the user’s authority, except possibly with other web sites.
Object Views: Fine-Grained Sharing in Browsers

Questions on The Security Architecture of the Chromium Browser:
I hope that the “multiple instances” in “The browser kernel is responsible for managing multiple instances of the rendering engine” are unable to communicate with each other except by principled means.
It is not clear whether different ‘instances’ share a JavaScript heap. That is consistent with stated security goals, but not other considerations.
Quote:

This suggests that they either trust the JavaScript engine, or provide separate heaps.

The plug-in situation is vexatious.

Quote:

This sounds like access lists and permissions! I need to find definition of “security token”, “Windows Job Object” and AdjustTokenPrivileges in the Windows context.

Quote

This means that any mounted FAT32 system is an ambient authority.