To re-explore this from one technical angle. If there is malicious code then the current technical solution would not prevent the malicious code from doing harm as the code, instead of copying secrets from local storage and using it from another site, it could instead just use the solid session to fetch the data and send that?
It would seem like the next iteration of the solid spec, server & client would benefit from the approach @NoelDeMartin outlined here.