Just because you've given permission to an app to access, say, your microphone, doesn't mean that it's not spying on you. That guitar-tuning app that was mentioned earlier might well be spying on you using the microphone it got access to.
The guitar-tuning app is a special case that actually has a legitimate need to use a microphone, but I've seen countless apps that need all sorts of permissions that they don't legitimately need. Like calculator apps that need permission to access my microphone or contacts.
The sad thing is that most users will just click through a popup asking for permissions, just like they do the "Run as administrator" popups on Windows. Such things are just not very effective safeguards.
Even with limited permissions, allowing JS apps to run on my system opens me up to all sorts of JS exploits, tracking, and advertising that just aren't possible or much more difficult with static HTML (which has a much smaller attack surface than JS anyway).
Native apps are even worse. At least websites are ephemeral and you can pop open a dev console and inspect/block the traffic.
Native apps ask you for permissions and then can access those features for as long as they're installed on your phone, often in the background. Ever see what kind of data Google has on the average Android user? It knows their exact route through town every day. It's crazy.
Maybe the world would be a better place if 1999 MapQuest was still the most advanced app on the internet. But your fixation on Javascript in this thread sounds out of touch with the more inconvenient truths of modern technology, probably because Javascript happens to be the one you can live without.
Native apps are static. You know what is in them from version to version. Javascript changes every time you pull it down and even changes as you use it.
In response to the tuner app, you said "make it a native app". The alternatives we're discussing are not static HTML vs JS, it's native apps vs web apps. Both kinds of apps can spy on you, both kinds can ask for tons of permissions they don't need, both have exploits, tracking, and advertising.
The guitar-tuning app is a special case that actually has a legitimate need to use a microphone, but I've seen countless apps that need all sorts of permissions that they don't legitimately need. Like calculator apps that need permission to access my microphone or contacts.
The sad thing is that most users will just click through a popup asking for permissions, just like they do the "Run as administrator" popups on Windows. Such things are just not very effective safeguards.
Even with limited permissions, allowing JS apps to run on my system opens me up to all sorts of JS exploits, tracking, and advertising that just aren't possible or much more difficult with static HTML (which has a much smaller attack surface than JS anyway).