[blharr]

That does not sound at all reassuring, that the only safeguard is the system blocking access and that the API has no safeguard.

Its also easily possible to have sensitive files misplaced, especially for a general non-technical user that would be the one falling for a browser hijacking attack

[bigrocketapps]

I have not checked the source code to tell you if the system is the one blocking access or the browser-level API itself. I'm guessing it's the browser. The only reason I mentioned Linux is that's where I tested it and I'm sure there are differences across OSes.

My biggest concern here is the write permission.