It's time to retire javascript and css and any Turing complete scripting/styling, running random code from random websites is just never gonna be safe.
May as well have the web just be a series of PDFs, I've never heard of exploits in those! /s
Even just rendering engines can have bugs that can be exploited by specially crafted content. While it reduces the attack surface, it would be a massive hit to usability of web pages.
You write this seemingly as a joke, but someone a few months back actually posted a link to a blog that entirely consists of pdfs. What we really need is blogs that are all .txt files, to avoid the exploits in pdf active content.
If you got rid of JavaScript, it will mean that a lot of things that can be websites today would have to move to an application on your computer/phone. It is just shifting the security risk somewhere else.
Both of my computers (laptop and pinephone) get their native applications through secure, vetted channels that have practically never let malware through (their distro’s package repos).
You can't know how many times your browser's let malware through, there's practically no supply chain security, no reproducible builds, no way to know what code has been executed.
I don't need anyone's approval to run native apps either, both my PCs run C apps I built from source and shell scripts I wrote myself without it, languages of my choice with implementations simple enough to write myself, not runtimes that literally no one that's not Google can afford to independently maintain. That's real openness.
