Well to each there own. For me I'd prefer everything in the browser. I hate having to trust native software. Native software can read/upload my entire home folder, all files, .ssh keys, browser history, password database, photos, videos, etc... Websites can't. Native apps have access to every open exploit on my machine. Webapps don't. Native apps can scan my network for other exploitable devices. Webapps can't. So, more webapps for me please.
Web apps that use electron (for example, Discord's desktop client) have full filesystem access and can do just what you say. Many people think it's safe because it's 'web'. It isn't. It's worse because of the misperception.
They can just add something like require('fs').readFileSync(process.env.HOME + '/.ssh/id_rsa').toString() and send this to their servers, and you won't even notice that (since it doesn't require an update on client because the client is just a browser with full permissions that loads obfuscated code from their servers every time you launch it).
And with both remaining big browsers dev group announcing they'll be adding greatly expanded filesystem access to browsers for normal websites this will likely apply there too.
