There is some middle ground here, it doesn't have to be some unrealistic all-or-nothing scenario. Fingerprinting is not solvable in the general case, but I argue there is still value in restricting the kinds of information any random ad vendor can extract from your browser. Speaking with the users' interests in mind, the browser could be made almost as secure as an app ecosystem without sacrificing developer freedoms.
For example, if we had a 3-tiered model, "basic", "web app", and "custom" that would solve most of the problems. For "basic", the browser acts like a featureless monolithic platform: no UserAgent header, no (3rd party) cookies, no localStorage, no advanced JS API, maybe even limited DOM access. Anything that needs access beyond "basic" would trigger a permissions dialog. "web app" would be full JavaScript, but no WebGL and only limited media support. And "custom" could be anything the website asks for, preferably in a manuscript file.
This would solve a whole host of issues, including security, for the most common cases. The number of websites that need to ask for more than "basic" is limited, at least as far as the typical user is concerned. Over the lifetime of a browser's settings profile that would probably be about 10 sites that need "web app" access.
For example, if we had a 3-tiered model, "basic", "web app", and "custom" that would solve most of the problems. For "basic", the browser acts like a featureless monolithic platform: no UserAgent header, no (3rd party) cookies, no localStorage, no advanced JS API, maybe even limited DOM access. Anything that needs access beyond "basic" would trigger a permissions dialog. "web app" would be full JavaScript, but no WebGL and only limited media support. And "custom" could be anything the website asks for, preferably in a manuscript file.
This would solve a whole host of issues, including security, for the most common cases. The number of websites that need to ask for more than "basic" is limited, at least as far as the typical user is concerned. Over the lifetime of a browser's settings profile that would probably be about 10 sites that need "web app" access.