That trusted third party is way, way less universal than one might think.

On Windows, a lot of users still install software from installers which they simply download from a website and run. People who run Windows 7 or earlier (of which there are still many), or who don’t have or want a Microsoft account, don’t have any other way to install software anyway (and probably, in most cases, don’t care that they don’t). Windows users see so many UAC popups that they learn to click “Yes” whenever they see one, and given that even very mundane things on Windows (again, especially older Windows, which are still extremely common) can often require administrator access, many (or even most?) installers will ask for it.

On macOS, some software is available on the App Store, but even a lot of what is there is also separately downloadable as a PKG installer or a disk image with just a big .app to run. Software that must run as root, or unsigned software that recommends that users blindly run “sudo spctl --master-disable” in order to run it, are not uncommon, especially when it comes to (very popular!) less-than-legitimate copies of software.

On GNU/Linux, you sorta think the average user might know what they’re doing a little more, but there too, a lot of software that can’t get into a common distro’s package repos (or just doesn’t want to deal with it) just recommends that users add and trust the devs own repos. Of course, if the software is an AppImage or something, or if the user compiles and installs from source, there’s no package manager to deal with at all, and the software can basically do whatever.

On Android, installing downloaded APKs (and trusting the browser to install them) is semi-common, though not as much as on desktop stuff. A lot of people I know do this for NewPipe and other legitimate but Google-EULA-violating stuff.

iOS is really the lone place where unverified software is truly uncommon or limited to knowledgeable users (those who jailbreak), and even there it looks like the Supreme Court may have a chance to change that.

The status-quo for the history of computing has been that software is installed at the users behest, and is at least moderately privileged, whereas content is not privileged and, traditionally, has not been “run” at all. As the web increasingly shifts from delivery of purely content to a mix of content and applications (the latter supported via PWAs), this needs to be acknowledged and cautiously handled. Believe me, I’m all for security. I do think more needs to be done for sandboxing of applications (Qubes OS, which I have daily-driven off and on for the past two years, has an interesting approach to this), and I truly believe that PWAs currently do, and should continue to, provide a secure-by-default, user-friendly way of doing this. No previous attempt at more powerful applications on the web (be it Java applets, ActiveX, or anything else like that) has ever provided an environment as secure, user-friendly, seamless, and compatible as PWAs do today.

That said, if the web, through PWAs, is truly to become an application platform, then the web needs to evolve to support, in a far more secure manner of course, the local, privileged things that Java applets or ActiveX allowed in the past, and that to this day continue to force developers to rely on proxies and other workarounds.

There is a balance to be struck between truly absurd and unnecessary APIs (driver installation from JavaScript? PWA disk partitioning? web microcode update API?) and things such as network access that even platforms as locked-down as iOS apps support.

Network access, with appropriate permissions and user awareness, is not too much to ask. You can’t have hypothetical users that are simultaneously too stupid not to accept a permission clearly saying that an application might be able to access other websites, but also too smart not to follow a glossy step-by-step download page to run a local version of the same application with full local root privileges.