Given the ability to select a directory and upload it in its entirety, I can imagine a malicious site saying something like "please choose a directory to save your X in" or similar, and using that to lead a user into uploading their home directory or download folder.
Please consider including a "UI security considerations and guidelines for user agents" or similar, documenting potential threat models like that, and suggesting approaches such as making the file upload UI show a preview of the number of files that will be uploaded and the first few filenames, very explicitly using language that makes it clear the files will be sent to the site, and identifying the site.
Given the ability to select a directory and upload it in its entirety, I can imagine a malicious site saying something like "please choose a directory to save your X in" or similar, and using that to lead a user into uploading their home directory or download folder.
Please consider including a "UI security considerations and guidelines for user agents" or similar, documenting potential threat models like that, and suggesting approaches such as making the file upload UI show a preview of the number of files that will be uploaded and the first few filenames, very explicitly using language that makes it clear the files will be sent to the site, and identifying the site.