This particular attack is actually not a concern if you're using fish (or zsh for that matter I think), as it will not execute pasted content without an additional pressing of the enter key.
It's still a concern because there will be users reflexively pressing enter without checking what they pasted if it's the expected value most of the time.
Meanwhile there is zero benefit for letting websites manipulate the clipboard or intercept basic browser interactions. This might make sense for applications but that's just another argument why those shouldn't be forced into the same browser as websites.
Yeah, I'm disappointed there's no permission toggle so that I could have javascript-based clipboard setting behind a prompt on most websites and have exceptions for others.
