> native desktop app exposes a much larger attack surface
If we're talking about code executed as a result of, say, buffer overflow attacks, then the impact is the same both for the native app and for the browser. The latter, however, has way much more places where that overflow could happen! And they still happen, security updates for the browsers get pushed all the time.
(And we're not even talking about the world of XSS/CSRF attacks here! Those are pretty much exclusive to the browsers, and widen the attack surface tremendously.)
Not to mention that native apps can be properly reviewed and vetted by Linux distributions.
And have a tiny codebase compared to a browser. And even tinier compared to a browser + all the potentially hostile javascript, css, html, sng, png out there.
And run in native sandboxes or external sandboxes like firejail.
If we're talking about code executed as a result of, say, buffer overflow attacks, then the impact is the same both for the native app and for the browser. The latter, however, has way much more places where that overflow could happen! And they still happen, security updates for the browsers get pushed all the time.
(And we're not even talking about the world of XSS/CSRF attacks here! Those are pretty much exclusive to the browsers, and widen the attack surface tremendously.)