This is trivial to do, takes like a few lines of code (not counting the social engineering page which obviously has to look sophisticated and real to trick people). So anyway, what's the conclusion, other than why using firefox? The conclusion is, make a new folder when you're downloading html documents. The fetch api https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs can only access the same folder or subfolders, but since this is a brand new folder, there are no subfolders, and the same folder is this brand new folder with only the html file in it, so there's nothing else to read.
Well while it might be a new (cough) POC to the researcher who managed to pick through and dig this one up, obviously it was not that formidable enough for the foulware actors to exercise much time or attention on. But still nice bug catch per a firefox reader.
Exactly, and always protect important data from being accessed by browsers, you can do this with file/folder protection tools.