It is, but there's also some historical friction between the people who hack on gecko (like smedberg) and the people who hack on the services that tie into the browser, so sometimes it's diversity of opinion, and sometimes it's tribalism.

In this case, I'd be more inclined to listen to the commenter on his blog, Monica Chew. She's the security/privacy developer. Smedberg is a stone-cold genius who brought such things as Electronlysis to FFx, but he isn't blogging as a security expert. So, it's an informed and intelligent opinion, but it's not quite an expert one and the wording may be somewhat colored by the long-standing tradition of Platform Engineering pointing out where Services Development is getting it wrong.. IMHO at least.

Thanks for the interesting background on the personalities.

Smedberg isn't wrong about the specific set of circumstances he cites: if an IdP (or someone who controls one, in whatever fashion) knows an RP to which a particular user auths, and wants to fool them both, it can. I think at this point we're supposed to advocate "defense in depth" and observe that there is nothing to prevent layering other mechanisms alongside Persona. For example: client certs, tokens, OTP systems, old-fashioned HTTP-auth, etc. For that matter, you could require the use of more than one IdP! (Not sure if the current javascript lib would tolerate this, but one could certainly modify it to do so... could this get on the roadmap for the rumored browser integration?)

I think most IdPs people are likely to use are strongly incentivized not to screw this up, but if it becomes an issue then some IdPs might be able to create value by being more trusted or auditable.