Web apps would also have to get permissions like native apps.
But you're right that some permissions like complete file access might be a bit too much. They could implement it so that only signed Web apps installed through the app store would get such permissions.
The problem is not only permissions. The problem is that code execution model within anything a mile close to web and browsers is a security threat by itself.
But you're right that some permissions like complete file access might be a bit too much. They could implement it so that only signed Web apps installed through the app store would get such permissions.