Comment by cosmic_cheese
5 days ago
Like I said, it’s surface area. It’s much larger in the case of the web since there’s any number of scenarios in which a user’s browser can be coaxed into running code that exploits a vulnerability that bypasses permissions and isolation (which is always possible by virtue of the browser being a privileged app, whether there are known exploits or not).
This sort of thing can happen with installed apps too, but the likelihood overall is far lower, especially if selecting judiciously.
The overwhelming majority of web apps don’t need filesystem access or similar special functionality, and thus users aren’t forced to install them.
In my personal experience, if my interest level in an app is so low that I wasn’t willing to install it, I was never going to use it in the first place either because the app wasn’t compelling enough or I didn’t have any actual need for it.
You have the same risks with apps though. An operating system has an even larger surface area. Sure, you need to manually install apps, but once installed they will automatically update.
Personally I would trust browser security far more than an OS simply because it is a much more desirable target to compromise. They're also built specifically to run untrusted code.