This seems like a good proposal.
However, I think that the scope of security vulnerabilities and attacks on the web (both now and ones in the future) may be too vast for a proposal like this to cover.
The current APIs that we have have come a long way from what they use to be are being iterated on to prevent things like XSS attacks form injections. Granted they are not yet perfect, but
very-important-bank.com can take measures to prevent their site from being hacked (i.e. sanitizing form data, using https vs http, sending appropriate headers, authenticating properly, etc), . In addition to that, many security vulnerabilities can easily be prevented by
very-important-bank.com having knowledgeable and experienced engineers, especially if they are “very important” .
Also, security vulnerabilities are not always initiated from a browser (anything that is capable of requesting urls essentially can hit an endpoint served, for instance), so each site will still need to take extra precautions. Unless I missed something, this proposal doesn’t seem to address that. But even still,
very-important-bank.com is going to still need to invest in the knowledge on how to prevent security vulnerabilities on their own (is this what we’re trying to avoid with this proposal?)