Did you read my comment? You still need to grant the permission to the browser in the first place.
This isn't any different from how it works already for all kinds of apps: If you grant Zoom the permission to access your camera, you do that once, and have to trust it on a per-call basis to not turn on your camera without your explicit consent.
If you don't trust your third-party browser to respect your choice as to which websites you want to grant access to your sensitive data, you probably shouldn't be using it, or at least not grant it access to that data in turn.
How would websites get access to your contacts? Just don't grant access to your contacts to your browser, whatever it is, problem solved!
The same applies to photos. iOS even has an API to let you pick a single photo to upload/share with an app that doesn't grant any access beyond that. And for messages there isn't even an API in the iOS sandbox.
Maybe you could clarify your concern; as far as I understand it, nothing whatsoever is changing on iOS due to the DMA in this regard (and I wouldn't want it to).
I think the concern/problem is you might want a pwa to have access to contacts, but you don’t want to provide contact access to the entire browser in this scenario since you may not trust the browser/other websites.
This isn't any different from how it works already for all kinds of apps: If you grant Zoom the permission to access your camera, you do that once, and have to trust it on a per-call basis to not turn on your camera without your explicit consent.
If you don't trust your third-party browser to respect your choice as to which websites you want to grant access to your sensitive data, you probably shouldn't be using it, or at least not grant it access to that data in turn.