> a big attack surface

Wdym? At least web apps are sandboxed by default in contrast to native.