Sure, but until the advent of JS you at least knew whose code you were going to run. Now you are more or less required to run untrusted code just to get through daily life.
And web platform people remain convinced that HTTPS transport encryption is sufficient to protect everyone, even though desktop app, OS, and bootloader people have been doing code-signing for something like two decades.