PWAs are generally considered safe to install because they are just a website (running in a sandbox) plus some fancy desktop integration. Normal software you install doesn't run in a sandbox and has much more capabilities.
However, as with every phishing attack, the user must ignore small (security related) hints.
It's "installed" through the browser, and it runs in the browser. So a PWA is just a browser app that maybe runs in a window with no browser chrome so it feels more native.
However, as with every phishing attack, the user must ignore small (security related) hints.