The paper demonstrates that frontier CUA safety is domain-conditioned rather than general, meaning strong browser-surface defenses in Claude Sonnet 4.6 and GPT-5.4 do not extend to coding-agent contexts, and that published ASR benchmarks are unreproducible without the release of RL-optimized injection strings.