Would you expect a "privacy focused" browser to offer you networking disabled by default but the ability to enable completely unrestricted networking in the settings (you can install a plugin for CORS and the like if you want) or to natively provide the privacy controls you need to actually use the browser? If the latter, why is it different depending which attack surface you ask about? If the former, why not just make that plugin part of the browser itself?
> Would you expect a "privacy focused" browser to offer you networking disabled by default
Obviously not, because at that point it can no longer be used to browse the web. (That said, "do no network requests" should be the default idle state of the browser until appropriate user interaction. Allowing CORS is also a horrible default but that ship has long sailed.)
I also disable WebGL in my Firefox profile and this does not inconvenience me in any way. So I do not think WebGL support is as instrumental to browsing the web as you claim; it entirely depends on what sites you visit. (And let's be honest here, a very significant majority of websites does not need WebGL.)
Everyone is welcome to have their own definition of what browsing the web requires be supported but if it wasn't part of browsing the web it shouldn't be part of the browser you can enable in the first place. That it is part of the browser you can enable is why it should have privacy support by the same browser, not because I personally think it should be part of what browsing the web requires.
If WebGL is a straw man to browsing the web why is the feature still included in the browser itself at all then? You certainly don't have to utilize every feature of the browser yourself but it is part of that browser nonetheless, it's just not a natively securable part.
