That sandbox still leaves a lot of things accessible inside the browser though. APIs, which the site does not even need, but are provided by default by the browser. If I had a browser, which asked me for every new API (for example: "making requests to a server, first party, third party) access and the JS gave me a sound reasoning, of why this needs to happen, then perhaps I could trust it more. We have that partially, for things like location access, camera and microphone, but those are only very few things. I would also like to be able to specify, whether JS for one website (not only in general, but also that) is able to access my fonts list and stuff like that.
If we had this kind of control, then we could create generic profiles and go into the direction of Tor browser in terms of disappearing in the crowd when it comes to fingerprinting. Then we could share these profiles with other less tech-savy users to protect them as well.
Good luck getting any normal user not using JS, but also "for things like location access, camera and microphone" all listed stuff asks for permission before use by the OS/browser, or at least it does on any modern browser.
I even said, that we already have that sort of control for camera and microphone. You present those things in a way, as if you think, that I did not mention them as already existing. As if you have to lecture me about them existing in a modern browser. I did never claim that they did not for camera or microphone. Your comment feels agressive to me and seems to hint, that you did not parse my previous comment correctly.
What the "normal user" does, is not really my main concern. There could be a switch to "expert mode" or whatever. The "normal user" doesn't even know, that a website consists of HTML, maybe CSS, and maybe JS. They are so far behind in basic knowledge, that I think it would be hopeless to demand such decisions from them. They just don't know how the Internet works. They are merely users.
> There could be a switch to "expert mode" or whatever.
That would require building 2 completely different apps that work completely differently.
There is no CSS, no resources that are loaded in, all the structure and style and everything is generated as it's needed so that the server does not need to parse and create pages that end up using and spending a lot of resources when under load. This way the server only gives the JSON data out and the website parses and generates everything.
Can't do that without Javascript, just like an Android or iOS app can't work without using a front end language to generate the view that you interact with.
If we had this kind of control, then we could create generic profiles and go into the direction of Tor browser in terms of disappearing in the crowd when it comes to fingerprinting. Then we could share these profiles with other less tech-savy users to protect them as well.