[aj3]

But neither syspatch nor sysupgrade apply to stable branch, meaning you'll be running release and if that's how you're keeping your desktop system updated - you're definitely using vulnerable browser, as in this scenario neither firefox nor chromium will get updated until the next release.

current branch is very clearly not meant for new users, that's mentioned in various faqs multiple times.

[brynet]

Regardless of whether you're running 6.8 release, have applied the official syspatches, or compiled your own system from sources (-stable or release + patches). The binary packages compiled from the -stable ports tree are supported on all of these. Out-of-the-box 6.8 will always prefer packages from the packages-stable directory. And you can absolutely always use sysupgrade(8) to upgrade to the next release or snapshot.

You do have some huge misunderstandings of -stable/-release terminology and how they apply to the base system. Especially with the introduction of binary syspatch(8). There is no longer any incentive to compiling the -stable sources yourself, as the distinction between -stable and -release + errata patches has largely been lost. In the past it might contain changes not worthy of an errata, for instance, but these days that would be exceedingly rare.

You're right, there's no -stable packages for chrome. Boo hoo. What you don't see are the lengths OpenBSD has gone to protect users of these gigantic pieces of software, such as the tight integration of pledge(2) and unveil(2) by default. Heavily restricting to entirely removing filesystem and network access for every unique process type. Leaving only access to the ~/Downloads directory.

[aj3]

What you're telling sounds wonderful. That definitely wasn't the case a few years ago and documentation still does not reflect this conceptual merge between -release and stable.

And also, as far as I can tell the newest Firefox version available on -stable OpenBSD right now is 82.0.3 which was released in November.