Most embeddable webviews allow binding additional methods that call into native though. This is how cordova works, in fact. If you're restricting access to local html/js, it shouldnt be any different to nw/electron from a security perspective.
Edit: looks like the tint framework linked above actually isolates the webview from the node runtime. Nice.
Edit: looks like the tint framework linked above actually isolates the webview from the node runtime. Nice.