Exactly how is the OS supposed to stop an exploited browser from doing anything malicious? Even if you have strict access controls like SELinux, that won't stop a browser from participating in a DDOS attack and changing settings like cache or homepage to get reinfected next session. And if you don't have strict access controls, like 99% of desktops, the exploited browser can freely install all the user-mode malware it wants. So XP vs. not-XP is completely meaningless at this stage.