[arepublicadoceu]

> As an aside, how would a notification steal your info?

How about:

“Hey dear user you won {amount} of money please click here and fill this totally safe form”

This was me thinking for a solid 3 seconds, imagine if someone put some effort into the message.

[Etheryte]

This is not a threat model that's unique to PWAs though, nor in any way enabled by what's seen here. Installing a PWA is practically equivalent to installing an app and a malicious app or an app that had their OneSignal or similar credentials compromised could do the exact same thing.

[diebeforei485]

Apple can disable push notifications from a compromised app.

It's unclear if they can do it for a compromised website, which was my question above.