The cross-domain check makes sense as the priority - that's where the real risk is. Injection making the agent do something dumb on the same site is bad, but redirecting to an attacker-controlled domain is way worse. Exfil via URL params, tokens in redirects, all that.

Your browser-native agent mode idea is interesting. Something like CSP but for navigation intent - "this agent can only interact with *.myapp.com" - and it's declarative so the injection can't social-engineer its way around it. Though browser vendors are probably 2-3 years behind on this stuff. Agent frameworks will have to solve it themselves first and then maybe Chrome picks it up later once there's consensus.