is XUL security different than HTML?
XUL and HTML have exactly the same permisssions with respect to what operations that can and cannot do. The only way to run privileged code, for example to read a user's bookmarks or files from disk, is to sign the code with a digital signature, or have the code installed as chrome.
XUL files loaded from the local file system which have not loaded from chrome (meaning, loaded from a file: URL) have the same permissions as remote XUL. Only XUL loaded from chrome using a chrome: URL gains special permissions. The same restrictions also apply to any other type of content, for instance if you wanted to load HTML through chrome, it would also have full permissions.