A prime example of "if a website tells a browser to load something" is popup windows - if a website tells a browser to open a dozen popups and popunders, then no, the browser should not do so. Earlier browsers did what the websites told them to do, and that was a horrible thing, so that's been changed.
Browsers in the modern web need to defend the user, not execute arbitrary instructions from random websites that nobody cares about.
(Please don't say "if I send you a malformed png file you have to execute the exploit, otherwise your argument breaks down".)
When I buy and read a newspaper, I don't expect the publisher to start following me everywhere and keeping a log of my life. When I read an article online, I shouldn't have to think about that either. But sites have so flagrantly abused the ability to deliver more than just the content I've deliberately requested, in order to track (and monetize) user behavior everywhere, that it's entirely appropriate for my User Agent to take steps to defend me.
I don't mind a site delivering some ads alongside the content I've asked for, just like I accept some ads in a printed magazine. But I don't expect my magazine to come with an embedded tracking device that will stick to me like a burr, even long after I've read the content and recycled the pages.
'We should patch exploits' and 'all things we would like to not load are considered exploits' seems to be rather begging the question. There is a class of things that use legitimate browser features, but we would prefer to not load by default.
You are covering the unauthorized access but disrupting/damaging is absolutely possible using plain old HTML and JS.
Privacy advocates argue that it's not only possible but many trackers are guilty of exactly that.
So the browser is in fact blocking malware.
... And yes, if you think about it, that definition does apply to ads as well. Really says something doesn't it :)
Edit: PeterisP says it much better in a sibling comment.
