[scrollaway]

There's a lot of web browser security features which are only relevant when the code is untrusted, when assets are fetched over http/https instead of bundled locally, etc.

GP is likely overestimating how much "bloat" could actually be dropped but your comment is uninformed.

[dmitrygr]

ALL code is untrusted

[abritinthebay]

That's... somewhat hardcore for most applications.

Also it's also not what most people mean by "untrusted". From a low level hardware standpoint though... assuming user-land code isn't trustworthy IS a good guideline.

[scrollaway]

Purposefully misunderstanding what people write in an effort to be a smartass is a sure-fire way of creating security issues.

No, "ALL" code is not untrusted. There's varying degrees of trust. I'd encourage you to stop trying to win the argument through platitudes and do some research instead, but I'm not sure you're interested.