Don't disable that on the client machine!
> On a standalone local machine such as a desktop or laptop, which doesn't allow inbound connections, you can turn this stuff off and enjoy better performance in relative safety – if you know what you're doing and accept the small but potential risk.
It's actually the other way around. Web server machine runs only code that is installed on it, hopefully from a trustworthy repository, and leaking secrets from one process to another is not a threat.
On the client machine, you use browser that runs (javascript/wasm) code downloaded from someone's server that may not be trustworthy. And can steal your secrets.
(The same way, it is a threat for a provider who runs other people's vms/containers that run untrusted code.)