Comment by Rohansi
5 days ago
Sure, browsers can navigate without your input, but what good would that do to bypass permissions? You can't use that to automatically grant your website permissions. And permissions are isolated to specific domains as if they were separate apps, so you can't just use permissions granted on domain A from domain B.
Not everything needs to be a PWA. Yes, they're great alternatives to apps, but why should anyone be forced to install a PWA when they might only need to use the web app very infrequently? Or what if I just wanted to try some functionality out first? Installing is an unnecessary speed bump for these cases.
Like I said, it’s surface area. It’s much larger in the case of the web since there’s any number of scenarios in which a user’s browser can be coaxed into running code that exploits a vulnerability that bypasses permissions and isolation (which is always possible by virtue of the browser being a privileged app, whether there are known exploits or not).
This sort of thing can happen with installed apps too, but the likelihood overall is far lower, especially if selecting judiciously.
The overwhelming majority of web apps don’t need filesystem access or similar special functionality, and thus users aren’t forced to install them.
In my personal experience, if my interest level in an app is so low that I wasn’t willing to install it, I was never going to use it in the first place either because the app wasn’t compelling enough or I didn’t have any actual need for it.
You have the same risks with apps though. An operating system has an even larger surface area. Sure, you need to manually install apps, but once installed they will automatically update.
Personally I would trust browser security far more than an OS simply because it is a much more desirable target to compromise. They're also built specifically to run untrusted code.