By default, unless the user has changed his settings, if a website tells a browser to load something, the browser should do so.

If there are some conflicts of interest between the user and the website, the browser (chosen by the user and put on user's device by the user) should be on the user's side, and work with them to ensure that the interests of the user are met - at the expense of website "desires". A browser is not a platform for websites to run on; a browser is a tool for the user to interpret the content provided by websites according to the user's wishes.

A prime example of "if a website tells a browser to load something" is popup windows - if a website tells a browser to open a dozen popups and popunders, then no, the browser should not do so. Earlier browsers did what the websites told them to do, and that was a horrible thing, so that's been changed.

A browser is a user agent - it exists to serve the user. Its defaults should be chosen to best serve the interests of the user.

What if the website told the browser to load malware?

Browsers in the modern web need to defend the user, not execute arbitrary instructions from random websites that nobody cares about.

If I ask my User Agent to load a particular news article (for example), I am not intending to ask for a myriad companies to start monitoring my reading habits, social interactions, shopping, or anything else.

When I buy and read a newspaper, I don't expect the publisher to start following me everywhere and keeping a log of my life. When I read an article online, I shouldn't have to think about that either. But sites have so flagrantly abused the ability to deliver more than just the content I've deliberately requested, in order to track (and monetize) user behavior everywhere, that it's entirely appropriate for my User Agent to take steps to defend me.

I don't mind a site delivering some ads alongside the content I've asked for, just like I accept some ads in a printed magazine. But I don't expect my magazine to come with an embedded tracking device that will stick to me like a burr, even long after I've read the content and recycled the pages.

How are you drawing a principled distinction between "if a website tells a browser to load something, the browser should do so" and "a website cannot load malware [except via an exploit]"? Clearly, asking the browser to load an EXE, or run this JavaScript that attacks website X, could be considered malware, so the line is fuzzier than 'if a website asks, a browser should load it'.

'We should patch exploits' and 'all things we would like to not load are considered exploits' seems to be rather begging the question. There is a class of things that use legitimate browser features, but we would prefer to not load by default.

Malware is software that is explicitly designed to disrupt, damage, or gain unauthorized access to a machine.

You are covering the unauthorized access but disrupting/damaging is absolutely possible using plain old HTML and JS.

Privacy advocates argue that it's not only possible but many trackers are guilty of exactly that.

So the browser is in fact blocking malware.

... And yes, if you think about it, that definition does apply to ads as well. Really says something doesn't it :)

sure they can, unrequested crypto miners running in the background are malware

As opposed to requested crypto miners. I would gladly trade some processor time and energy so that I don't have to watch obnoxious ads.

I disagree. I think by default the browser should protect the user, and protect the user's privacy. The browser is an agent of the user, not an agent of the websites the user visits.

Edit: PeterisP says it much better in a sibling comment.

Yeah, you lost that ‘right’ at the time when popup ads were popular.