Correct. IMHO accessing the local filesystem is incompatible with accessing the network from a security standpoint.

I’m fine with having a very clear toggle to allow this behavior for developer types, but this should default to secure.

I think this summarizes the issue and is exactly the correct solution.

There's a lot of the comments along the lines of "just run python -m SimpleHTTPServer" - but doing that makes your computer just as vulnerable as allowing file:// in the first place, in theory. It's only the very awkwardness of doing that that makes it any safer. Instead of hiding this fundamental incompatibility between security and local accessibility behind a layer of inconvenience, better to drag it out into the open and label it and fully support it. While you're at it, you can slacken off some of the other restrictions in "local mode" as well.

A browser is the modern VM, for better or worse. It should function locally, standalone.