[Perdition]

>It's sandboxed and not able to do anything - malicious of not - outside it's restricted environment.

That argument is like the one that Linux is more secure because a malicious program will only have user rights.

Malicious scripts can do plenty of damage inside their restricted environment. There are whole books on how to securely write web apps due to the danger of "sandboxed" malicious JS.

Personally I don't want to be tracked and profiled yet nearly every major website is running multiple tracking and profiling scripts.

>If you could somehow disable all logic from executing in your OS native apps, would you do this by default?

I do disable native apps ability to communicate with the network unless they actually need it.

P.S. I also find that those who take a pure "webapp" approach introduce design flaws into their apps. In Toggl for example when browsing summaries you can't open multiple tasks in detail because instead of using a hyperlink they use JS to fetch and display the task details. Any content link should be able to be opened in a new window/tab.