About the only worse thing would be a WebPCIe.
Edit, here's how Google justifies the existence of WebUSB (https://web.dev/usb/):
"""
Let's see the behavior you could expect with the WebUSB API:
1. Buy a USB device.
2. Plug it into your computer. A notification appears right away, with the right website to go to for this device.
3. Click the notification. The website is there and ready to use!
4. Click to connect and a USB device chooser shows up in Chrome where you can pick your device.
The goal is to make Chrome the OS. As long as your USB device works on Chrome, who cares about it working on the rest of the system. Absolute madness.
Given the seemingly extensive support for doing emulated USB passthrough/redirection to VMs, I'm assuming people have looked into the security implications to the host.
Edit, here's how Google justifies the existence of WebUSB (https://web.dev/usb/):
"""
Let's see the behavior you could expect with the WebUSB API:
1. Buy a USB device.
2. Plug it into your computer. A notification appears right away, with the right website to go to for this device.
3. Click the notification. The website is there and ready to use!
4. Click to connect and a USB device chooser shows up in Chrome where you can pick your device.
"""
The goal is to make Chrome the OS. As long as your USB device works on Chrome, who cares about it working on the rest of the system. Absolute madness.