[...] I click on the URL and application is in the browser ... I think that sentence sums up the overall problem.
In Emacs, since you gave that as an example, when you install a package, the list is curated. Same with your GNU/Linux system. When you copy a snippet of Emacs lisp code, you will see the license text and can decide what to do before running the program. Had non-free software been irrelevant, web browsers executing random code (if we can wish for a world where non-free software is irrelevant, we can wish for software without security issues :), then the Javascript trap wuldn't have been a trap.
