All apps have the same origin (file), so are not sandboxed from each other (Bug #1181)
To demonstrate, for the Chrome sandbox file APIs:
1) Install Serene Notes, from the Hominid Software feed
2) Add one or more notes
3) From the hamburger menu, select "Preferences & Help"
4) Enable "Backup Nightly". One backup will be made, then Backup Nightly will be disabled, as it can't be scheduled.
5) Use the Back gesture to return to the list pane.
6) From the hamburger menu, select "Restore from backup file". Observe that a backup file exists.
7) Launch Testr
8) In the File APIs tab, select "Chrome sandbox - write file"
9) Select "Chrome sandbox - delete all".
Expected behavior: one entry is removed, "/Testr"
Actual behavior: two entries are removed, "/Testr" and "/backups" (the directory used by Serene Notes)
10) Switch back to Serene Notes
11) From the hamburger menu, select "Restore from backup file"
Expected behavior: backup file is listed
Actual behavior: "No backups..." message is displayed.
Apparently, all apps have the same web platform origin (navigator.origin): protocol=file, host="", port=0 (See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
Presumably, other local storage features suffer the same security problem. Among other things, this means that a file randomly downloaded, when executed, has similar access to apps specifically installed by the user.
webOS set origin to undefined, which is not compatible with the web security model, and required workarounds in system code and app code.
Firefox OS used a special origin for packaged apps (https://developer.mozilla.org/en-US/Apps/Publishing/Packaged_Apps#Differences_from_hosted_apps).
Sandboxing has been activated in QtWebEngine in Qt 5.7, but isn't present yet for Linux on 5.6.
A naïve attempt to simply backport this commit proved to be unsuccessful, maybe because the Chromium version was too old.