Spot on. Chrome, with its isolation based security, has a more robust approach by default. From personal experience: it’s easier to build a barricade around my laptop than to guard my nephew continuously.
Interestingly, the seccomp thing he mentions is conceptually related to capability based access control which, for example, is used by all the microkernels that Genode can run on top of. From the seccomp wikipedia article:
[…] seccomp allows a process to make a one-way transition into a “secure” state where it cannot make any system calls except
exit(),sigreturn(),read()andwrite()to already-open file descriptors.
An “already-open file descriptor” is pretty much equivalent to a capability: an opaque reference to a resource, and the rights we have for them.