Worth pointing out that not all in-app browsers are created equal, however. A huge number of apps, probably the majority, on iOS use SFSafariViewController for theirs, which is basically an isolated Safari tab that runs out of process and app developers have no access to. Furthermore, SFSafariViewController instances are unique per-app, each with their own separate set of cookies so apps can’t trick you into visiting a link to gain access to full Safari’s cookies.
IIRC Android has something similar that opens an isolated Chrome tab within apps but I have no idea how common usage of that is in Android apps.
You are correct; however, in the case of some of the biggest apps (Reddit's official app among them), they use the old WKWebView specifically for the ability to inject code. The more user-centric third-party apps that Twitter/Reddit have targeted lately used SFSafariViewController.
The question is, is there any way for the user to tell the difference just by looking? Or is that something you have to be able to examine the binary to be able to determine?
On Android, when you have the WebView open, go to the app switcher and the title will tell you which app provides the view: the original app, or your browser.
Yes, the one that is “clean” has the open in Safari icon. However, as soon as that becomes common knowledge I’m guessing the malicious apps will be adding that icon
IIRC Android has something similar that opens an isolated Chrome tab within apps but I have no idea how common usage of that is in Android apps.