I think it's both. It wasn't a problem when browsers were simple content display engines, but now that they are full VMs for application software, they need some of that capability just to function. FWIW, I think this was a mistake, but the genie is out of the bottle.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.
I'm loathe to suggest it, but perhaps LLM's could help here? Once local LLMs are a couple orders of magnitude better and resource efficient, a user agent LLM could decide what features are actually needed for each page.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.