Since at least the advent of personal computers app designers have taken the attitude that they will manage all your stuff of the sort that they specialize in.
Indeed all the common platforms have made this the only natural app design.
If I display mal-formed e-mail that I have received from some miscreant, the code that puts that image on the screen may be compromised.
The result is that hostile code runs with all the authority of the display software.
On conventional platforms that allows the hostile code to send copies of my other e-mail to the miscreant, and even delete my files if it doesn’t mind being noticed, for my e-mail app has that authority.
Some recent browsers have taken to sandboxing and this helps, but this approach is piecemeal and has a long way to go.
Instead the display code should run with only the authority to see the mail and put pixels in a predetermined area on the screen.
That is the easy and natural way to do things in a cap system.
Such languages have much capability like logic in their definition.
(A parameter is much like a capability.)
That logic does not save you from plug-ins or from conventional browser behavior of telling sites about you.