We are not disagreeing? What I'm saying is that not all "blind code executions" are the same. The distinction between running an exe file on the OS and running a script inside a browser does matter, for risk assessment.
I'm disagreeing on "the potential impact is a lot smaller", because we have seen time and time again that executing a script in a sandboxed environment can quickly turn into running machine code with the user's privileges instead.
