If 90% of your activity is in the browser, then even if your sandbox was 100% isolated from other processes, 90% of your activity is still exposed, no?
And why are you confident in sandboxing? Just like in real life, it is only a rudimentary defence.
Every browser tab has its own sandboxed process. And to top it off, at least in Chrome every site (second-level domain) and iframe has its own sandboxed process.
Nice list. Now you need a RCE exploit and a chained breakout exploit thought. That's a lot of cash.
Given this and that the process isolation also protects against meltdown/spectre type attacks, I think we can agree that this type of fine-grained sandboxing is a requirement for secure software, no?
However, next to no software is using fine-grained sandboxing. From the top of my head only qmail, djbdns and gatling come to mind, none of them are for end-users.
So what end-users software does actually approach or surpas browsers in this regard?
Then lets not pretend that a browser is sufficiently secure for people considering using OpenBSD. Given the fact that by its nature a browser runs untrusted unreviwed code on your device it does a pretty good job of making it difficult to exploit, but it is irresponsible to say that its sandboxing cant be bypassed when clearly it can.
Yes, many of these vulns are memory corruption and then remote code execution. So what? The attacker is still confined to the sandboxed process.