I think "chooses to" is doing a lot of work there in your understanding. Spectre exploits were found in the wild even in JS code submitted to ad networks. I suppose a user could choose to uBlock all ad JS and never visit webpages they don't trust. Those are choices, sort of.
But also that's a bit victim blaming isn't it? Do you want to explain to your grandfather or partner or child "Oh sorry, you had a password stolen because you chose to visit Google.com on a day where Google let an ad buyer attach Spectre exploit malware"? (Google could also chose to not let ads attach JS at all, but that's a very different problem.)
Computers have millions of places they get code from to run. Is "your CPU has a data leaking bug in it" the user's problem or the OS's problem? When there's a mitigation the OS can manage? When security-in-depth is an option?
I installed Bazzite on my own old Desktop not supported by Windows 11. One of the first things the Linux kernel spits out on boot if I have the boot console up is about running with Spectre mitigations. The Linux kernel also thinks it is important to mitigate (as Windows 10 did, but Windows 11 doesn't include and so doesn't support this old Desktop).
Sure I am might have been a wee bit too bitter writing that.
The point I want to make is that allowing remote code execution is such a big attack surface that it makes all the other security measures look silly, which indicates that signed execution contexts in them self is an attack on privacy and control etc.
If there was any actual security concerns there could be a push for server side rendering or something.
But also that's a bit victim blaming isn't it? Do you want to explain to your grandfather or partner or child "Oh sorry, you had a password stolen because you chose to visit Google.com on a day where Google let an ad buyer attach Spectre exploit malware"? (Google could also chose to not let ads attach JS at all, but that's a very different problem.)
Computers have millions of places they get code from to run. Is "your CPU has a data leaking bug in it" the user's problem or the OS's problem? When there's a mitigation the OS can manage? When security-in-depth is an option?
I installed Bazzite on my own old Desktop not supported by Windows 11. One of the first things the Linux kernel spits out on boot if I have the boot console up is about running with Spectre mitigations. The Linux kernel also thinks it is important to mitigate (as Windows 10 did, but Windows 11 doesn't include and so doesn't support this old Desktop).