It's a fine line between making the web usable, fingerprinting, and peppering the user with dozens or hundreds of permissions.

And since browsers rival OSes for complexity (they are basically OSes in their own right already), any part of the system can be inadvertently exposed and exploited.