Please stop making web apps, the web is for documents, not to be hijacked by Google in their attempt to wrestle personal computing from Microsoft.
This issue becomes even worse if you try to make software that can both be used with keyboard & mouse and on a small touchscreen. With very few exceptions, you end up with something that works poorly with both interfaces, instead of working great on one of them. Trying to do that in a browser rather than the OS only makes the issue worse (what happens when you press "Alt" ?).
Websites are at least supposedly sandboxed so they are not as much of a risk as running native binaries. But this is getting worse and worse as browsers expose more and more of their host operating system's functionality. The benefits of using a website instead of a native app are quickly disappearing while the drawbacks have only been somewhat mitigated. We're getting to the point where browsers are worthy of the decades old criticism Emacs has received. They have eventually become an OS with many fine features - simply lacking a good web browser.
The browser, and the web, has been destroyed by the insane security model of modern OS-Browsers: running every executable they're sent from anyone with not a care in the world as if it is normal. This one thing has made it so browsers cannot be in control of the user, made it so that CA TLS is pretty much required and so that browser devs write entirely for the security use cases of the insane corporate web applications instead of writing for human people looking at website documents.
And this same security model makes it so that web apps basically cannot communicate with each other at all, unlike real applications where piping between small applications is the entire idea.
I'm afraid it's the other way around. Browsers are (generally) better at sandboxing than OSs. Browsers are paranoid by default. They have to be, because visiting a website is just a click away (compared to multiple clicks/taps to install a native app).
For example, Chromium was able to mitigate Meltdown/Spectre within days, even if the OS was still vulnerable. (Chrome already had site isolation ready to ship, a feature that completely isolates websites into their own process). Even better, Chromium browsers tend to update themselves (or via Google Play) automatically.
Meanwhile, OS vendors were scrambling to ship an OS update.
(Also, worth mentioning that iOS users were vulnerable until Apple shipped an OS update, because every browser on iOS has to use Apple's WebKit)
The browser is an operating system. This might be unsettling to this crowd but we can’t just cover our eyes and hope it turns into the browser from 20 years ago.
This issue becomes even worse if you try to make software that can both be used with keyboard & mouse and on a small touchscreen. With very few exceptions, you end up with something that works poorly with both interfaces, instead of working great on one of them. Trying to do that in a browser rather than the OS only makes the issue worse (what happens when you press "Alt" ?).