Correct, local storage can't be accessed by other domains. It depends on which browser you're using, but I think all major browsers encrypt cookies, local storage, etc on disk.
Looks like I may be wrong about this. Sounds like Google's stance is that if someone has access to your computer, they also have access to your browser.
It seems that other webpages cannot access it, but any local application could. I think Google is right, any local executable could just as well be a keylogger.
