To be fair there have been a drive of exposing web API for everything on the local machine, including USB, Bluetooth, etc. However, just like with location, camera, microphone, etc. access to vibration should be granted by the user, not automatically granted like right now.
It's too late for the web app/page ecosystem to be fixed, and adding more access just makes it worse. Most web stuff is so bloated with tracking and indirect third-party software installation that it's difficult for even the creator of a page/app to figure out what code gets run (see e.g. [1], scroll down to "Fad Ads"). There are still social norms for what native programs should do -- tracking and automatic forced update are frowned upon -- and developers who do these things are shunned.
The browser has become a sandbox for hostile actors, and it seems like a terrible idea to make that sandbox larger.
