[jariel]

Users will never have the vast operational knowledge that most organizations do, and are generally very unsophisticated.

This is why there is no 'File Access' API in the browser, because it'd be like giving guns to teenagers, even with 'safety training' it would get out of hand.

So the issue then becomes one of 'power' as much as 'knowledge' of security, and of course all the peripherial abuse surrounding the 'security rules' that have nothing to do with security.

Involving 3rd parties, giving proper security notifications but still letting users have the final say etc. etc. there are definitely middle paths and reasonable choices we coudl make.

But there's just too much money on the table for the powers that be to look the other way, they will continue to infringe until they are stopped.