Be very clear on this: the doctype does nothing. It means nothing. These security holes are based on browsers being released and used who happen to have new capabilities built into them. The Doctype has nothing to do with that. People could be using the HTML3.2 IEEF doctype and it wouldn't change a thing.
The Doctype is used for one thing and one thing only: doctype switching, for browsers who decided to use the existence (or lack thereof) of a doctype to determine which layout rendering system they would use, under the broad assumption that "old pages don't have doctypes" and "new pages do".
When people started discussing "HTML5", they realised browsers weren't actually reading doctypes. They ignore most of it, anyway. What
<! doctype html>
is, is the shortest possible string of characters we could get away with that browsers used to determine that, yes, there is indeed a doctype so we will render in "standards mode". Some of us were seriously hoping for anything like
<! doctype foo>
but that wasn't possible.
Everything else is simply a browser development. Some of them are being released while not including ways for users to turn it off or refuse. This is what's nice about NoScript: it can block lots of things for you and let you choose what should run in your browser and what not. Web Fonts using @font-face for example. There's no built-in way I know of to block those, but NoScript can.
Yes, XHR has been made more powerful, and I think one problem web security has always had and will continue to have, is people making and hosting websites without any idea how a lot of this stuff works.
So I think this is an important topic, and I'd also love to hear good answers on "what should Joe website owner do for situation X", but we should stop calling these "HTML5 technologies" and instead the more correct "new browser technologies".