Also, they could theoretically grab things like, say, swap files, or cookie files, or whatever, and use that to do all sorts of fun damage that way. And if you have a weak password on your OSX Keychain and you use auto-login functionality, suddenly they have your website passwords. Oops.

One thing I never really liked too much about the Safari RSS model (which we’ve discussed in the past) is how it acts more like an XML→HTML translation frontend (what with its silly feed:// hack and obscuring the feed’s source, making XML-problem debugging that much more impossible) instead of an alternate markup/layout handler (like what Firefox apparently does), but it also means that it’s possible that the problem is in WebKit itself, unless it’s something particularly fiddly with how Safari RSS handles its “read items” storage or something (I must admit I haven’t really used Safari RSS that much, having always just preferred server-side aggregation such as FeedOnFeeds or, later on, Google Reader).