So the app should ask for a permission to a reasonable set of domains, and when you're installing it, you should get a clearly laid out permissions / privacy risk management worksheet to look at and agree to.
Many sites use dozens of domains. Some (probably most) are ads, tracking, and the like. But much of it is stuff needed to run the site. I don't think there is a reasonable set of defaults other than things not on an ad blocker blacklist. And asking the user to approve each domain on a page is too much -- how would they decide, and how would they know which one prevented the site from working properly?
It's certainly flawed, but providing all of the assets creates a different class of problems. Both approaches have pros and cons, plus the original comment I replied to passed it off as a solution to the problem at hand, which it's not.