The browser security model is actually granular, as opposed to the desktop model of granting complete access upon running an app. Sensitive information like ___location or hardware access sits behind contextual permission prompts.