What are the various security boundaries the platform offers? I have an idea, but I’m not completely sure whether it is exhaustive:
Origins: scheme, host, and port, or a unique identifier. Used by most platform features.
Origin groups: all origins whose scheme and host's registrable domain are the same (or scheme and host if host is not a domain, or just origin, if origin is a unique identifier). document.domain has forced this upon us.
Schemeless origin groups: all origins whose host's registrable domain are the same (or host if host is not a domain, or just origin, if origin is a unique identifier). Cookies are the worst.
There is also the HTTP cache, which leaks everywhere, but is far less reliable.