The whole cross-origin model in browsers, like it or not, allows something like this. It's hard to fix. Chrome already aggressively restricted permissions for file:// in a way that broke existing apps because they wanted to limit the risk of attacks against the local filesystem.
IIRC there have been file://-related vulnerabilities in webapps like pdf.js, too.
I don't know if you were around when the web started, but I was. The web was purely a viewing experience, and it gave me pause the first time I was asked to select a local file to "upload". I thought hmmm, when did they poke this hole? Of course for all I know it was a feature from the start but hadn't been used until then, but the concern is still valid. Had the original browser not allowed cross-site resource loading, perhaps other solutions would have been found to common problems (mostly related to advertising).
IIRC there have been file://-related vulnerabilities in webapps like pdf.js, too.