There’s some discussion in the specs here https://w3c.github.io/webappsec-secure-contexts/#is-origin-t...

> In particular, the user agent SHOULD treat file URLs as potentially trustworthy.

> User agents which prioritize security over such niceties MAY choose to more strictly assign trust in a way which excludes file.

A potentially trustworthy URL is a secure context: https://html.spec.whatwg.org/multipage/webappapis.html#secur...

So this is a matter of browsers not implementing it, probably because there’s just not a lot of demand for it.