I would like to caution a bit against the auto proxy or at least warn users. By sharing the same browser and protocol (HTTP) there are CSRF concerns that can be triggered from the public web. Similarly unprotected pages on the safenet side may access public web resources. I would at least strongly encourage the safe launcher’s proxy to have options to set CSP headers (I know this is just a demo, I am just warning because people attacking Tor were able to do deanonymization by tying things from the public web to the user, granted this was more through services the Tor user was using inside the Tor browser).
Great work! I look very much forward to the messaging API being available via the launcher API to implement my app idea (might I suggest web sockets instead of traditional HTTP or long polling?).