Very good observations, and I’m totally with you on those.
I have to delve deeper in all the research, but the focus is mostly on the innovative UX patterns, so may be forgiven that that isn’t yet with security-first mindset front and center. In terms of security, for the component-oriented (app-free computing) approach I am looking into Wasm/WASI for sandboxing and only allowing contract/interface/capability-based strictly controlled access to any system resources.
This would make the examples you give wholly impossible, unless such powers are explicitly bestowed.
There’s a “too moldable” too, I think. What one’d want is “controlled moldability” and not an anything goes. I am thinking that this moldability should be domain-specific and what is possible at a particular location depends on use case and context. That should still allow ample flexibility and evolution of the domains by a diverse set of stakeholders, but also possibly reserve more sensitive extension/modification to a more select group of people that can be trusted with such responsibility.