Ever heard of a little thing called AppArmor? [wikipedia.org] One simple tweak of a configuration and the web browser has no access to the local file system at all barring its own config files. You could also very easily run the browser as another user that has extremely limited privileges.
Curiously, that's exactly what IE 7/8's protected mode does on Vista/7. And that's enabled by default.
Is AppArmor, with those restrictions, enabled by default in a popular distribution of Linux? As far as i know, most ship with an AppArmor capable kernel and some profiles - but they're usually not enabled.
Google's problem right now is that they're not running a "corporate IT" - all their developers have a lot of freedom on how to run their desktop. While this is great for the individual developers, from a security standpoint, this will always be a nightmare.
While there might be some very security-conscious people like you working there, others may not be overly concerned with security.