Well there is a permission dialog and you need to select the directory to grant access and common sensitive directories are blacklisted.

A malicious ad would probably have an easier time tricking you into downloading and running an executable, which is something that has actually happened many times IRL. Worry about that before worrying about theoretical exploits that nobody has actually exploited in an API shipped in the world's most popular web browser for the past 6 years.

That isn't how any of these things work, though. This kind of thing needs a permission to be granted by the user and it does not extend to third-party ads appearing on the site that it is granted to (banner ads have, for a long time, been sandboxed in iframes in the browser to prevent such exploits). I wish native applications had this level of isolation from each other.

Did you miss that this has been shipped in Chrome for 6 years? How many drive-by-download viruses has your machine gotten since then? Zero for me...