The command to find out what files are currently being accessed by a running process is lsof. With no arguments or grepping, it lists all open files.
lsof | grep firefox
But that's besides the point. What you need to know is what user can access which files or directories. This is the most basic way to display this info and I am aware that there are better methods.
Login as the non-root user then:
find / -readable
Or what can be modified:
find / -writable
find / -type f -executable
When a process is launched under that user, such as a child process from a java applett running under your browser, it could technically access all those files and directories. SELinux won't help you since this is just a basic permissions issue. You quite simply don't want untrusted processes to be able to access files and run commands under that user. And don't get me started with an OS that by default allows regular joe user to use sudo without a password.
There were two ways of keeping a process such as a browser to keep from reading files that it shouldn't. One is to run the process under another user and group that doesn't have free reign over the rest of your other user's files. It's not perfect since there are always files every user needs to see such as /etc/passwd and it can still execute any binary or script under that user. The other way is to run its own chroot jail and that is what I am going to explain here.