If malicious code is running outside of your browser, that is well beyond the scope of anything the web development guidance here will prevent.

Yes, but his point is that when you write a server (any server), you still have to consider non-browser connections on top of browser connections, thus any security policy that handles the former can subsume the latter.