None of what you mentioned protects against XSS which the parent mentioned. Things like having a proper CSP might but only if the application is built so it does not depend on insecure eval/inline and/or you can properly disallow fetch/connections to outside sources.

Everything you mentioned is about protecting things the app should not have access to. Many vulnerabilities are about intent (did the admin user really mean to truncate the db they have permission to truncate) or target (did the user really mean to export all my emails in an archive to h4x0r@yahoo.com).

If you at all store any sensitive data within the application either serverside or clientside you need to consider the security of the application itself, not just the sandboxing/isolation.

Agreed, this is a nasty bug in the software, which makes it open to manipulation by anybody on the internet who can send you an email. It's a big failure of the RoundCube project, developers probably do not care about security of user data very much. The response to the bug report is "did something to fix this, closed", no comment on what is going to be done to prevent this stuff in the future. Which is disappointing for a flaw of such severity. I wouldn't be surprised if similar attacks on RoundCube are still possible.

Email is no longer in the class of "software you install" it is in the class of "services you outsource to reputable companies who won't fuck it up"

Many people don't see it that way, as they outsource to Microsoft, who can't do e-mail properly and eff it up all the time.

It's more of "outsource to someone else" than "who won't fuck it up".