I used to run it on a laptop too, but the battery life was shorter and the laptop ran noticeably hotter than under Linux, so I eventually switched back.
That said, OpenBSD feels unusually coherent (ej. check wifi connection from terminal). The whole system has a level of consistency that's hard to find elsewhere, also between other BSDs.
I reply myself because I've found that idea already porposed:
"Origin policy was a proposal for a web platform mechanism that allows origins to set their origin-wide configuration in a central location, instead of using per-response HTTP headers." - https://github.com/WICG/origin-policy
But their status is "[On hold for now]" since, at least, three years ago.
The reference of robots.txt offer a good way to define specific behavior for the whole domain, as example. Something like that for security could be enough for large amount of websites.
Also, a new header like “sec-policy: foo-url” may be a clean way to move away that definitions from the app+web+proxy+cdn mesh to a fixed clear point.
Adding more security headers every year feels like strapping seatbelts onto a collapsing roller coaster. It would be better to stop this "sec headers stack" in favour of simpler, secure by default browser primitives with explicit opt-out. Getting an example from https://securityheaders.com the list nowadays is as follows: