A sea of confusing permission prompts is downstream of the same origin model.

We take for granted is "just how it has to work". But that's not the case!

It's actually a hack that is downstream of the decision to use a simple, high-contrast same origin model.

The same origin model requires a small set of extremely clear, discontinuous boundaries around the edges of the origin.

When data crosses the boundary (e.g. you give the origin the ability to turn on your camera, which allows data to flow inside), you need a permission dialog: a border crossing.

It's possible to imagine a security model that allows safe composition more granularly, where the boundaries between things could get fractally more nuanced, and overall feel less like a high-contrast boundary and more like a gradient.