Am I right that this makes the tradeoff of removing the possibility for vulnerabilities in specific web applications, but creates the (admittedly slimmer) chance for Universal-ish XSS in browsers?
It’s a risk. That’s why there are bug bounty programs and open processes for the specification.
Browsers have a track record of being able to ship security bugs for severe issues within a day or two. Compare that to patching every individual website.
Browsers have a track record of being able to ship security bugs for severe issues within a day or two. Compare that to patching every individual website.