That is not quite true. JS can read the clipboard on any direct user interaction using "Document.execCommand". Also, there is a newer Clipboard API that requires explicit user permission, but as far as I understand once it is given it allows arbitrary reads.

This depends on the browser. In a privacy-conscious browser such as Safari, it will pop up a browser-controlled "paste" context menu that the user has to explicitly interact with.

On my browser (Firefox 96), the paste command seems to just return false and do nothing.

Mozilla's documentation claims paste with Document.execCommand is disabled for web content (as it should be):

https://developer.mozilla.org/en-US/docs/Web/API/Document/ex...

On the wider issue, I'd like to only allow a keyboard combination from the window manager / compositor to paste to the focused window. X11 has three different clipboards and I think Wayland has two (I've only seen xsel use the X11 secondary selection) while I've only ever heard of the one clipboard on Windows.

The kitty terminal has some method of using the clipboard that works remotely (though all the magic kitty does inspired me to "alias ssh='st ssh'"). I'm not sure if anything other than kitty uses it. The permissions have a specific "ask" option, which seems like something the browsers should support for the Clipboard API.

https://sw.kovidgoyal.net/kitty/kittens/clipboard/

Are you running it as part of a click handler?

No, I was trying it on the console, without any context.

As I said, it needs to be as a direct reaction to user interaction. Though from the other comments, it seems my knowledge here is outdated anyways