> browser is very well sandboxed and security hardened.

But the back-end of a browser-only tool may not be. And it may not be online the next time you go to use it. Or it may lose or sell your data.

Sure, there's a confidentiality issue with whatever data you upload, but there's low risk of the rest of the data on your system being compromised.

Very … well … sandboxed … browsers?

Ummm, there’s Spectre in JavaScript.

And everywhere else? Although it does present a risk to sandboxed environments, Spectre is not a sandboxing issue, it's a CPU bug.

Semantic, shemantic; Risk remains the same.

The risk is very much not the same. Running native code is much higher risk, compared to running JS inside a browser.

The list of bad things a web app can do is a strict subset of the list of bad things a native app can do (after all, the web browser is just another a native app).

While it is true, there are problems with customization and other features; a better sandboxed environment will be needed which e.g. can use command-line, better ability to control and make connections/interactions with other programs in the computer, locally storing file (even using without internet connections), etc. The web browser / HTML is, I think, not a very well designed sandboxed environment, really.

Notably if JavaScript can access a file system then all bets are off.