Chrome and Firefox have _very_ different behaviors here.
In Chrome, there is no way at all to get hold of the page's JS objects.
In Firefox, the default behavior is that you don't interact with them, but you can explicitly ask for them and once you have them you can work with them. Depending on what you do with them, you may or may not be creating security bugs, of course.
Critically, in Firefox you can have your separate clean builtins _and_ be interacting with actual page JS objects at the same time.
There are arguments for and against both models, of course.
Chrome and Firefox have _very_ different behaviors here.
In Chrome, there is no way at all to get hold of the page's JS objects.
In Firefox, the default behavior is that you don't interact with them, but you can explicitly ask for them and once you have them you can work with them. Depending on what you do with them, you may or may not be creating security bugs, of course.
Critically, in Firefox you can have your separate clean builtins _and_ be interacting with actual page JS objects at the same time.
There are arguments for and against both models, of course.