In the NodeJS threat model, it asserts that certain code, including dynamically loaded dependencies, is inherently trusted. However, despite this trust, there exists a permissions policy. Why is such a policy necessary if the code is already deemed trustworthy according to the threat model?

What I understood about it is that you trust the code at some point and you make a policy to ensure that in the future you are not running a different (modified, untrusted) version of that initial code.

Note that this feature was developed before our threat model. AFAIK it's not a security mitigation for all supply-chain-attack vectors, but a seatbelt. It does work well except for its many edge cases.

It does work well except for its many edge cases.

IMO If there are any edge cases, then it doesn't really work well, so I agree with nodejs/node#52575's proposal to remove it.

Closing in favour of nodejs/node#52575