With absolutely no disrespect intended, the hope that we'll forget about the WORA dream is delusional. WORA is inevitable and the Web, for all its flaws (and they are plentiful), is far and away the closest we've ever come. Even on mobile, which was a bit of a setback for the Web as WORA, JS has only been getting better over time. There's just no turning back the clock.

Security-wise, I think the best we can hope for is more and more OS-like sandboxing and isolation, capability-based security, and other defense-in-depth measures.

Privacy-wise, for defeating tracking and the like, ideally I'd hope for technical countermeasures to win the battle, but if we do end up having rely on legal measures, they have my full support, GDPR and CCPA included.

(Random idea for a technical countermeasure against fingerprinting: have you heard of those projects trying to defeat behavioral tracking where, whenever you visit a page, it simultaneously opens a bunch of other random pages in the background, hidden from you, and simulates activity on them, the idea being that Facebook has no idea what actual websites you like to visit because it's lost in the noise? What if instead, whenever you visit a page, your browser or a plugin or a proxy or whatever opened the same page simultaneously in a bunch of hidden background windows, with a random configuration of audio enabled/disabled, user agent, screen resolution etc fingerprinted characteristics?)