It may have been a very good idea, but the sandbox implementation was shoddy, and 'Local Machine Zone' exploits are one of the main reasons IE has such a terrible security reputation. So other browsers should be wary about introducing a 'privileged mode'.
People can always install untrusted applications written in C. Why should the fact that your application is written in HTML+JavaScript make any difference? If it's just another native application; the implementation is unimportant to the end user.
Now, security is important, and it would be nice if all applications could be verified as to security. But they aren't. So while it would be good to figure out how to properly sandbox desktop HTML+JavaScript applications, I don't see as how failure in that regard should retard their adoption anymore than it retards the adoption of native applications written in C.
The obvious different is that you don't want to execute arbitrary C code just because a compromised ad network is serving malformed HTML. The ease of attack is much greater on the web.
Mozilla has used "no IE-like privileged mode" as a marketing point in the past. There's obvious benefits, but I hope any modern browser is going to be careful about the sandbox is implemented.
You're comparing incomparable things. Serving a web page in an unsecured environment is an obvious security problem, but completely unrelated to whether you have written a native application in HTML+JavaScript or something more traditional like C.
Would the C version of your native desktop app download code from an online ad network? Then it is just as problematic as a web app in an unsandboxed browser. If the C implementation of your desktop app wouldn't do that, then the HTML+JavaScript implementation of the same application shouldn't either, and there is no problem.
