I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.