By this logic, you should recommend that people don't use computers.
All software has vulnerabilities. The trick is to install it in a way which mitigates most of the typical ones: use VMs, SELINUX/APPARMOR, containers, chroots, user separations, etc.
None of what you mentioned protects against XSS which the parent mentioned. Things like having a proper CSP might but only if the application is built so it does not depend on insecure eval/inline and/or you can properly disallow fetch/connections to outside sources.
Everything you mentioned is about protecting things the app should not have access to. Many vulnerabilities are about intent (did the admin user really mean to truncate the db they have permission to truncate) or target (did the user really mean to export all my emails in an archive to h4x0r@yahoo.com).
If you at all store any sensitive data within the application either serverside or clientside you need to consider the security of the application itself, not just the sandboxing/isolation.
Agreed, this is a nasty bug in the software, which makes it open to manipulation by anybody on the internet who can send you an email. It's a big failure of the RoundCube project, developers probably do not care about security of user data very much. The response to the bug report is "did something to fix this, closed", no comment on what is going to be done to prevent this stuff in the future. Which is disappointing for a flaw of such severity. I wouldn't be surprised if similar attacks on RoundCube are still possible.
Just a month ago there was news of a RoundCube XSS zero-day that was widely exploited (https://cyberpedia.medium.com/state-sponsored-cyberattacks-l...).
Don’t use RoundCube!