If I remember correctly, one of the original concerns was that the feature didn't respect user boundaries on the host machine itself. In other words: multiple users sharing a machine could inadvertently (or intentionally) retrieve information about each other.
That would be a straightforward example of "can't read the browser history for a user, but could read it indirectly via the agent."
That would be a straightforward example of "can't read the browser history for a user, but could read it indirectly via the agent."