I don't know exactly about the browser sandboxing. But isn't it's purpose to prevent access to the local system, while it mostly leaves access to the internet open?
Is that really a good way to limit and AI system's API access?
The same-origin policy in browsers defaults to preventing JavaScript from making API calls out to any domain other than the one that hosts the page - unless those other domains have the right CORS headers.
