The way Electron breaks the browser security model is definitely bad, but I think it's important to separate Electron's actual security issues from the things people do inside of Electron.

Namely, a node_modules folder full of shit they mostly don't even know the purpose of, let alone the trustworthiness of the developers who wrote it (or the trustworthiness of all the things those developer had in their node_modules folder.)

The combination of no browser security plus an unlimited number of unvetted dependencies is a really bad combination.