* deanonymization , at least the site learns your ip address (and approximate geographic coordinates from it), users of telegram and other anonymous chats often forget about this
* spam through notifications , sites ask for permission to receive notifications (sometimes cyclically until you click yes) and after a while you will have pop-up windows with pictures (ads)
* attacking vulnerable web services where you are authorized - click jacking (blindly force you to click buttons on an authorized site, drawing it with 100% transparency in an iframe, moving it under the user's cursor), cross site scripting (perform actions on sites by calling requests directly there)
* there is a danger of accessing the clipboard, the fact is that, according to the standard, the browser does not have direct access to the buffer until the user performs an action on the site (mouse click), it is not difficult to force the user to do this, and the content of the buffer will be at the malicious site, and what is there in your buffer sometimes - sometimes very interesting
* phishing - slip a visual copy of other services, require authorization and thus fish out the login password
* many people allow (default behavior of browsers) automatic download of filesinto the download directory, a malicious site can slip a legitimate application infected with a Trojan into it, in the hope that the user will someday run it when he sees it in the download folder (there is always a mess and no one remembers where they downloaded from), in fact, this is one of the most dangerous actions, as it transfers operations from the browser sandbox to the operating system, and there vulnerabilities are more dangerous
...