Remote execution of code is a very popular attack vector.
Apple can negate this almost entirely by controlling JavascriptCore and WebKit and ensuring that their security models e.g. sandbox are tight and well tested. Leaving that up to third parties who may not be so vigilant compromises the security of the entire device.
Apple can negate this almost entirely by controlling JavascriptCore and WebKit and ensuring that their security models e.g. sandbox are tight and well tested. Leaving that up to third parties who may not be so vigilant compromises the security of the entire device.