iMessage has also been the main source of hacks for iPhones for years if not decades. Apple really struggle with securing iMessage.
It definitely does not need to run all the time, it could be woken up by incoming notification like all other apps (and I hope it is how it actually works).
But I don't see why a browser should run at system level - if the app is closed, there is no reason for its code to be running.