Some websites can use security vulnerabilities in different parts of the browser (rendering, image format parsers, Javascript, PDF, fonts, and everything else supported by the browser) to run code on your machine.

For a concrete example of what exploitation of a JS engine bug looks like, PlaidCTF2016 had a challenge that allowed people to run JS in a patched version of V8 that deliberately introduced a bug in array index checking, with the goal being to run x86 machine code.

The patch to v8: http://lpaste.net/317342

An exploit: https://gist.github.com/sroettger/d077d3907999aaa0f89d11d956...

While this bug was artificial, there were (and can still be) bugs with similar consequences in actual engines (see https://www.cvedetails.com/vulnerability-list/vendor_id-1224... or https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spidermonke... for historical examples).

While a bug in most of the components you mention are bad by themselves, their impact is magnified by the presence of javascript, which allows an attacker to interleave calculations and interactions with the buggy components, bypassing many mitigations.

What if my browser does not run as root? Can I protect my files from ransomware by having a copy somewhere else on off-line storage?

I didn't see that on the site. Where does it say that? However, vulnerabilities do exist in browsers and that is how that could happen.