How does the browser differentiate, though? If it’s serving you a page from the WWW (“world-wide web” or “wild, wild, west”, who knows?) it doesn’t know who wrote the page, whether it was your second cousin Edna’s attempt to put her Christmas letter online and save on postage, or if it was Joe M (for Malicious) Coder’s in his lucrative side hustle selling stolen identities. So it simply doesn’t let that page have access to you local files. However if it’s serving your page already from your local file system, then it assumes that you’re not trying to steal your own identity and lets you have some access to your local files.
This is very unlikely to change in web browsers. And I really don’t want it to. I imagine most people who are concerned about security don’t want it to.
But for non-browser tools, it’s a different situation. Perhaps you want to ask Simon over in the TiddlyDesktop-RS thread if it’s something already available or something he would consider?
It’s an entirely different model. Node is an application running on your machine with full access to the file system. Because it can execute code, there are certain threats inherent, but they are very different from the WWW threat model, where the code that might be executed could come from anywhere.
If a clueless user downloads insecure code and runs it with Node, then yes, it might corrupt your passwords, launch the missiles, steal your boyfriend, or who knows what. We don’t want the same sort of threats to be possible just from visiting a webpage.
Since I ONLY need edit local files where is the problem?
^^^------ The problem is right here
The problem is that if the browser makers opened it up so that you could easily do this, they also open it up to a bad actor who ONLY needs to steal your private data. They have no way to distinguish those cases. But as @saqimtiaz pointed out, they do offer you some ways to run in a less safe mode. But with those flags set, I would suggest being very cautious about not visiting websites that you don’t completely control.