This seems like a good start to understanding Electron security and why using it to do what the documentation expressly states is unwise might be less than optimal.
Can you give a specific example of what is wrong with Min's security configuration, assuming it is following Electron best practices. Asserting that the security model is bad and linking to Electron's security tutorial is not helpful.
For my own part, I find the introduction that specifically warns that Electron is not a web browser and should not be trusted to handle potentially malicious code from over a network to be clear enough. I understand that this is an opinion that not everyone will share.
For a single specific example, look at the information on permissions and compare to how min handles them. I also see no functionality that attempts to determine if code is malicious or not. Chrome does have measures in it to do this.
That said, I need to be clear. The matter at hand is not a matter of mere configuration and cannot be addressed by better configuration of Electron. Chromium was designed and built to run in a very hostile context. Electron has been built to run in a much more trustworthy context. There is no amount of configuration that will turn the latter into the former because it is not purely a difference of configuration.
Electron's security model is not bad in any absolute sense. It's designed for a particular context and set of scenarios. Dropping it into a very different one with very different needs makes it a poor fit for the job at hand. You may as well descend into a volcano with a home stove potholder.
I hope this has clarified matters. I understand that some people will be very discouraged by the stance I have taken on this. I have no desire to crush their dreams, only to ensure they make good and wise decisions around security.
First and foremost, electron runs on often outdated versions of chromium which are vulnerable to known 0days.
Electron RPC also makes it really easy to get RCE if you don't implement it properly, and most JavaScript developers don't implement it properly. Electron also does not have anywhere near as much security research into it.
This seems like a good start to understanding Electron security and why using it to do what the documentation expressly states is unwise might be less than optimal.