All the points are true, so we need to dig a little deeper and be more
specific about what is at issue here.
Online and Native are quite different trust and utility models.
Web applications protect the execution environment owned and managed
by the user. They do so at the cost of compromising some of the
user's data, which must usually be processed remotely. The protection
applies to most of the user's data. This trust tradeoff is
iterated/ongoing, so that benefits and harms accrue over time.
Native applications make a one-off trust transaction. "Is it safe to
install on my device?". In the win situation the benefit is speedy and
safe processing of all the user's data for all future time. If the
user is tricked, then the loss is catastrophic, exposing potentially
all of the user's data, perhaps silently/undetectably for
considerable future time.
That's a very simplified and perhaps naive distinction. Despite the
pressures of surveillance capitalism, some web services are honest,
TLS and GDPR work, and some users are sensible about what they share
online. On the flip side we are seeing that devices come pwned from
the factory, at the hardware or firmware level, which makes a nonsense
of the whole "endpoint security" paradigm.
> If the user is tricked, then the loss is catastrophic, exposing potentially all of the user's data, perhaps silently/undetectably for considerable future time.
For offline users we also have malware detection and firewalls.
Stopping outgoing connections can be be really effective, bjt of course: if one has doubts one probably shouldn't install.
But a native app can upload anything it wants anywhere. Not just the images you processed but anything it can access on your computer.