I'm no XUL-meister, but as I understand things, XUL installs as part of the Browser, and has basically the same OS access as any other part of the browser.
That's a common misconception. There is XUL, which is a language used to describe UI. It has no inherent security priveleges -- XUL served over http:// has the same permissions as any web page.
Some particular XUL files are tagged as part of the browser and have expanded permissions. The same is true of some HTML files.
"Note that you can't bind the XBL to an arbitrary element like you can with XBL in XUL. You must bind it to a regular HTML element like a SPAN or a DIV.
I'm unaware of any such restrictions in XBL; in fact one can easily bind XBL to things like images...
"You should also be able to insert XUL directly into XHTML files, but a bug in Mozilla currently prevents this from working. See the bug report for the details."
This is only an issue if you want to embed XUL in a generic XML file. This is indeed broken. If you have a XUL file served with the XUL mimetype, it will work (modulo some issues with overlays).
