Reconsider registering message handlers in main script world
ephy_embed_shell_register_ucm_handler() registers certain message handlers in the main script world: tlsErrorPage, unsafeBrowsingErrorPage, and aboutApps. I'm likely about to add one more (likely named reloadPage) to fix #1663 (closed). In the main world, they are accessible to arbitrary web content. This means arbitrary websites can delete your web apps, or ignore their own TLS errors. It also allows naughty websites to entirely subvert the unsafe browsing feature by disabling safe browsing for the web view. (This would normally be a huge security bug, but currently unsafe browsing is disabled everywhere except Tech Preview anyway, so doesn't matter at the moment.)
These cannot be registered in secondary worlds because then they would be inaccessible to the page content, which would break the functionality, so fixing this is not straightforward. Ideas welcome.