[jraph]

CSPs and mechanisms against cross site scripting are such protections. They would block a script from calling home or executing arbitrary scripts or displaying images that could exploit vulnerabilities.

So browser engines definitely protect developers against themselves a bit.

Although I agree with you that there's only so much you can do for the devs bundling crap themselves, I was wrong on this indeed.

Still, I would not be overly confident with web code running in a browser where security is not well studied if it has any network capacity. Especially if the app displays any external content in something like an iframe.