先從RFC文件開始說起吧!

This document defines the concept of an "origin", which is often used
as the scope of authority or privilege by user agents. Typically,
user agents isolate content retrieved from different origins to
prevent malicious web site operators from interfering with the
operation of benign web sites. In addition to outlining the
principles that underlie the concept of origin, this document details
how to determine the origin of a URI and how to serialize an origin
into a string. It also defines an HTTP header field, named "Origin",
that indicates which origins are associated with an HTTP request.

從這段話可以知道，做origin的管理是為了安全性考量。 舉裡來說，有人偷偷改了jQuery的來源(http://i.am.jQuery)，在ajax發送的同時，將你頁面的密碼資訊傳到了他自己的server(http://i.am.a.bad.guy)。 詳細的說明，請詳閱文件。

回到正題: 本地的檔案是否可以用JavaScript讀取? 來看一下文件的說明吧!

4. If uri-scheme is "file", the implementation MAY return an
   implementation-defined value.
   NOTE: Historically, user agents have granted content from the
   file scheme a tremendous amount of privilege. However,
   granting all local files such wide privileges can lead to
   privilege escalation attacks. Some user agents have had
   success granting local files directory-based privileges, but
   this approach has not been widely adopted. Other user agents
   use globally unique identifiers for each file URI, which is
   the most secure option.

上面說得很清楚，雖然檔案位在同個目錄，但還沒廣泛被user agent採用。 Firefox預設也是會確認的，我不清楚你為什麼說沒這樣的限制。