It all depends on your Operations Security model. For some people it's more important for things to be available and convenient that for them to be secure.
For the average user, I would say malware running under the browser sandbox within a domain context is game over, assuming for example malware under your webmail or bank page domain.
> If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.
Each browser tab and cross-origin iframe is its own process sandbox. Web security operates on domain boundaries.
If your webmail provider or bank is serving malware or user generated content under the same origin as the frontend, they have self-owned beyond the browser’s capacity to help.
For the average user, I would say malware running under the browser sandbox within a domain context is game over, assuming for example malware under your webmail or bank page domain.
This XKCD applies to this very well: https://xkcd.com/1200/
> If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.