I wouldn't be concerned about random apps hijacking my peripherals since I assume they will always need some kind of prompt to make a connection. However, if the browser bluetooth API allows you to scan devices I would be more concerned about fingerprinting.
The beacon sends out a signal which is a the same as the connection advertising format, but with the CONNECTABLE bit turned off. This gives 20-30 bytes or so of data you can stuff out there along with the UUID.
The app typically listens for UUIDs of beacons it cares about, and when it sees it, collects the one-way device to app beacon data. Then does something with that -
It's just that the "something" is usually reporting to a website that the beacon has been seen. This is entirely how TILE find-it tags work.
So the threat model here is that if you can get someone to go to your website, you could potentially see what BLE beacons are near that device and report them.
I am not sure if SCANNING requires user consent - or just connection event does.
It'd be remarkable if it wasn't used for spying, given the history of features added to web Javascript. When has an API that gives JS access to more data or device capabilities not been used in this way? Often spying's among the top use cases in the wild for a new feature. At a minimum it'll be another dimension for fingerprinting.
This is not about technical consent, or misleading people. It is about a dialog that pops up when a page wants to access a specific Bluetooth device, and it has to know what kind of device beforehand. Webpages don't just get free reign to scan and access devices.
I'm sure a lot of people also don't realize that Google Chrome has had, for many years, an extension API for accessing USB devices. Has it been a problem? No.
This is just another communication protocol. It's reasonable for browsers to provide a strictly controlled environment to utilize it.
Yes it's a problem. My 85 year old grandmother was redirected to a strange website and was prompted for a series of chrome permissions, including to her computer's audio system. Conditioned to accept internet prompts from legitimate companies, she accepted and was then threatened and harassed verbally until in a panicked frenzy she gave the "voice" her banking and other personal information.
Google, Facebook, and many other technology companies, have conditioned users to click 'Yes' and 'Accept All' and 'Share' such that we can no longer use such prompts to block malicious actors from our computer systems.
I do not trust software engineers to make the correct choice between "ooh a cool feature" and the general well being and privacy of their users. There has been too much precedent and incentivization for the former, including massive profit and promotional tracks.
That really has nothing to do with your initial assertion and frankly is dealing with an entirely unrelated problem. I can't untangle all of the things being conflated here.
I you know of any real (not theoretical) threads, let us know. Until then I (we) enjoy the convience of modern technology.