In fact, if the client really wants to, you can take a version of the browser with a well-known hole, and still get access to local files.

JavaScript and the DOM provide the potential for malicious authors to deliver scripts to run on a client computer via the Web. Browser authors contain this risk using two restrictions. First, scripts run in a sandbox in which they can only perform Web-related actions, not general-purpose programming tasks like creating files.

This specification allows web content to read files from the underlying file system, as well as provides a means for files to be accessed by unique identifiers, and as such is subject to some security considerations. This specification also assumes that the primary user interaction is with the element of HTML forms [HTML], and that all files that are being read by FileReader objects have first been selected by the user. Important security considerations include preventing malicious file selection attacks (selection looping), preventing access to system-sensitive files, and guarding against modifications of files on disk after a selection has taken place.

Explain this way - throw off the link, by clicking on which he will see: All your files are now encrypted , transfer $ 100500 to wallet 64578934725243457938 to get the decryption key.

Just a browser is not enough - install something like https://docs.python.org/2/library/simplehttpserver.html on the client's PC and give him the directory that he needs on the localhost.