I love web apps because they mean I have to trust the developer a lot less than with native apps. Of course there are still things you'd have to monitor (e.g. network requests) to fully trust any web app. A good solution could be something like OpenBSD's pledge, to allow me to prove to the user nothing malicious is possible (e.g. by disabling fetch and any new requests, even from src attributes, altogether).
As a sandbox, I especially like that there's a dropdown with a huge list of things a website/app can do. Many of them on by default, but I have total control over that. And of course the API for asking.
"Hey this game wants to use your motion controls and USB gamepad." Okay sure.
Yeah, the sandbox is nice, but it doesn't go far enough. Let's say I build a JSON viewer. Why should the page have any ability to make network requests? So what I'm asking for is an ability to pledge that I'm not going to make any network requests.
