There will always be ways of exploiting things like this.
Perhaps the solution could be to handle this at the network level. In other words create what is effectively a "personal information firewall" built into the browser.
Have the browser detect when certain information is about to be send over the network, it would need to be checked prior to being passed to SSL. Things that fit formats like CC numbers or authorisation codes for banks. There could then be a prompt appear on top of all active windows saying "A CC number is about to be sent to xxx" Allow/Deny.
I suppose this would be difficult because phishers could re-encode data using JS into some other format before it is sent. So you would need some of mapping keyboard inputs to networking events.