Loading a remote page and executing it in Electron is not the only, or even recommended, way to build Desktop apps using Electron. Electron was designed for creating Desktop apps, where the content is shipped in the app itself - in that case, contextIsolation is much less necessary because every way you could break out of the sandbox isn't interesting, it's just an obscure way to hack yourself. It's also a huge compromise to the developer experience, and is a big roadblock to anyone other than Electron experts.
Unfortunately, the world disagrees - they really want to wrap websites using Electron, so now we need to default to options that make Electron apps far less compelling as a platform
that's only true for applications that strictly only ever work on and display content that the user has created themselves.
This is an increasingly rare type of application in the age of the internet and social media to the point where I would argue that most applications these days interact with data created by other users (think opening an image file, displaying a chat message, displaying an email, etc).
With Electron you're setting yourself up in a way where a single case of a forgotten input escaping automatically means a remote code execution attack.
On websites, XSS certainly are a bad thing, but they are still somewhat limited in scope and generic mitigations exists in many browsers.
In Electron apps, an XSS means an RCE unless you make use of features like `conextIsolation`.
Reading your comment makes it obvious to me that this isn't already a well-known issue. People generally aren't aware or believe their type of application to be immune and thus it would, and that's the point of my initial comment, make sense to either default to secure or at least default to asking the user to specifically make the decision to be insecure.
Defaulting to turning every XSS attack into an RCE seems to me like a very bad decision.
The fact that there is an app that downloads privileged code as a normal course of action is already a Remote Code Execution issue to me. Furthermore, the fact that it's only https protected means that any https proxy in between me and the server (say a corporate firewall) can execute random code on my computer. No thanks! And they are just a single hack of their static js hosting away from having all of their active user's computers hacked.
I would assume the danger is not your own content breaking out of the sandbox, but displaying unsanitized content from a remote database, which sadly still happens a lot more than you would expect. Definitely not something that only happens when wrapping a website using Electron.
Unfortunately, the world disagrees - they really want to wrap websites using Electron, so now we need to default to options that make Electron apps far less compelling as a platform