So, here's Apple's concern, which is valid: every website (PWA) should have isolated storage (cookies etc), and independent access to system resources (webcam etc) confirmed by the user on a per-site basis. I think we can all agree that's how things should be.
Previously, Safari handled these requirements because it's a modern browser (isolated storage has been a cornerstone of browser security for a long time), and had special privileges in iOS to configure per-site user permissions, whereas normal apps only had app-wide permissions.
Luckily, Chrome already has isolated per-site storage because it's also a modern browser. If it didn't, the world would probably explode.
That leaves per-site permissions as the only real problem. I'm sure the Chrome-on-iOS team would do whatever it takes to make this a good user experience, but let's assume for the sake of argument that this would actually be a burden for Apple to support.
How does disabling PWA functionality change the security situation whatsoever? Users preferring Chrome would just load the sites in Chrome as a bookmark, which has no meaningful difference from a "security" perspective. Users strictly using Safari obviously have a strictly-worse experience. Who does this help? What is made more secure by disabling this?
I just don't understand what PWA's have to do with any of this. There is nothing that a PWA can do that a regular Chrome window would not be able to do. Apple is being force to support the latter. What's wrong with continuing to support the former?
If it all boils down to "Apple users expect Apple to have control over everything, and if that expectation is violated, it will be really bad", then I'm sure EU regulators will handle it. Is there anything I'm missing from a security perspective?
PWAs adhere to the same-origin policy, and all browser security policies associated. This means isolated storage (indexed db & local storage), isolated permissions, etc. Every modern browser has support for this.
One webpage accessing the resources and data of another webpage is among the most basic of things globally known to be disallowed. This sandboxing reasoning is extremely bad faith.
Apple could trivially audit browser apps and provide warnings if they do not adhere to basic security policies literally every browser has implemented. This is a basic, user friendly approach.
Their behavior is akin to a small, bratty toddler throwing a little tantrum, but instead of being a small toddler, it is one of the largest corporations on the planet. Their "little tantrum" impacts lives and livelihoods, because they are upset a population has reps that actually represent them.
Previously, Safari handled these requirements because it's a modern browser (isolated storage has been a cornerstone of browser security for a long time), and had special privileges in iOS to configure per-site user permissions, whereas normal apps only had app-wide permissions.
Luckily, Chrome already has isolated per-site storage because it's also a modern browser. If it didn't, the world would probably explode.
That leaves per-site permissions as the only real problem. I'm sure the Chrome-on-iOS team would do whatever it takes to make this a good user experience, but let's assume for the sake of argument that this would actually be a burden for Apple to support.
How does disabling PWA functionality change the security situation whatsoever? Users preferring Chrome would just load the sites in Chrome as a bookmark, which has no meaningful difference from a "security" perspective. Users strictly using Safari obviously have a strictly-worse experience. Who does this help? What is made more secure by disabling this?