Yeah, at first, I was like...Okay, so the victim needs to install a malicious app which means they already have code execution. This is just a permissions escalation? I suppose that can be bad if the target Unity app has some wide permissions.
But if it can be exploited via Browser, then it means any website with an XSS vulnerability becomes an attack vector. But the attack needs to specify which app to start. So even if you found a great app that uses Unity and has juicy permissions, you'd have to hope your victims have that specific app installed. I'm not sure you could try to launch multiple apps without tipping off the user that the website is trying to do something funky.
Sure it's a game engine, they are not exactly praised for their security. but my understanding is for games the end user has a mental modal where the engine isolates the users computer from the game content (the levels, art and game logic) I am not sure how relevant this mental model is to unity. Where unity is more of a game engine framework and the engine proper and the game code are more or less intertwined within that.
The gold example is the original quake where the engine had an application specific vm to run the game code. Again, not security focused and I am fairly sure vm escapes would be easy to find. But I also don't remember ever hearing news how a quake mod installed a rootkit on someones pc.