Shouldn't it be impossible for a website to determine what files exist or do not exist on a local machine? That sounds like a serious security problem. It seems that no non-file:// site should ever be allowed to load a file:// resource, much less query the element for its size or error state afterward.

You're completely correct.

Those kinds of security issues are the low-hanging fruit that's largely been fixed by now.