The problem is that websites are also currently a significant privacy vulnerability.
I'd love an adblock system that allowed me to block trackers with a purely declarative API. I do not trust Apple (or Google) when they say that their API will be as effective as current extensions.
Ublock Origin and UMatrix are hands-down the gold standard for blocking right now. I'm very, very cautious about ignoring the advice of the person who made them, and that person is saying that declarative APIs don't offer enough flexibility for the blocking they want to do.
Of course extensions are a privacy risk. But I only need to vet two extensions, and without them I need to vet hundreds of websites. If the current extensions do a better job without a declarative API, then I'd rather risk installing them. You have to look at the risk of extensions in the context of the risks of the broader ad ecosystem on the web.
The same way you vet desktop apps. Install as few of them as possible, because the sandboxing is currently quite bad. Do research on the people who are developing them. Read the source code.
If you're worried about malicious transfers of power, turn off auto-updating in Firefox. If you're worried about being able to audit the actual installed code, use Firefox Developer Edition and audit and compile your own version to run.
In practice, I trust UMatrix and Ublock Origin because I'm familiar with Gorhil's work and comment history around Github and HN. I also extend a similar amount of trust to Decentraleyes for similar reasons. Those are the only big 3 you need to get the biggest impact on your privacy. Arguably, you don't even need Decentraleyes if you only want to trust one person.
Why not just run all desktop apps in sandboxed virtual machines then?
There's a tradeoff between default privacy settings and user simplicity. As a power user you're still free to run whatever complicated scheme/browser you want to.
> Why not just run all desktop apps in sandboxed virtual machines then?
Ideally, we would like sandboxing on the desktop to be at least as good as sandboxing on the web (preferably better). People don't run sandboxed desktop apps right now because the ecosystem currently makes it inconvenient. Wayland and Flatpack are both good steps in the right direction. Apple's making some progress as well there, but it's all pretty early-stage stuff.
Until the sandboxing gets better, you should be cautious about installing unvetted desktop and phone apps. You should also be cautious about installing unvetted browser extensions. But browser extensions are complicated because while keeping a minimal system isn't that hard, you're probably not going to stop visiting unvetted websites, even if you know it's dangerous. It's a much higher priority for experienced users to make the browser sandbox good than it is to make the extension sandbox good.
People take a long-term view on this, and while I agree with them in theory, I don't think it's always particularly helpful to think about what technology will look like. With browsers, it's not a question of whether or not theoretically it would be good in the future to make extensions entirely declarative. Of course it would be good. It's a question of, 'is it possible to do that right now?' At the moment, Safari's declarative API is significantly less powerful than the blocking API that Firefox has. In the future, that could definitely change, but people have to use computers today.
So for the moment, the browser advice I give to non-power users is to install UBlock Origin and Decentraleyes on Firefox and nothing else. I think that's a safer, more private environment than anything they'll be able to set up on Safari. I advise power users to add uMatrix to that list, and for people who are really paranoid, I advise them to run Firefox Developer edition, which will let them compile extensions from source.
If you're just handing someone a computer and you don't trust them not to go off and install random extensions, then sure, give them Safari. In that context, it's not confusing why Apple would do this -- they're optimizing for the largest number of users; people they can't trust not to install random extensions. It just means that more experienced/responsible users will be safer using Firefox.
I'd love an adblock system that allowed me to block trackers with a purely declarative API. I do not trust Apple (or Google) when they say that their API will be as effective as current extensions.
Ublock Origin and UMatrix are hands-down the gold standard for blocking right now. I'm very, very cautious about ignoring the advice of the person who made them, and that person is saying that declarative APIs don't offer enough flexibility for the blocking they want to do.
Of course extensions are a privacy risk. But I only need to vet two extensions, and without them I need to vet hundreds of websites. If the current extensions do a better job without a declarative API, then I'd rather risk installing them. You have to look at the risk of extensions in the context of the risks of the broader ad ecosystem on the web.