Nobody gets "full access" to your "javascript object"—whatever that even means; pages from different origins will still run into exceptions when trying to diddle the opener. There is a small, well-known set of (safe) properties that are excluded from the restrictions—like location. But the noopener behavior, by making opener null, does stop other pages from setting even opener.location, which could ordinarily be used to programmatically send the user to another page.