Given that all websites are running code on your device, that seems like a distinction with a very small difference. The question is what has the better sandbox to protect yourself. The web is definitely better but somehow I still get tracked across sites and shown "relevant" ads. Mobile apps are also fairly well sandboxed and yet some apps that need your permission to do something useful also use that permission to do evil.
As web applications get more powerful, they will become a greater and greater source of the issues that currently plague mobile apps.
Most mobile apps are really just glorified websites that don't need anything above and beyond the web sandbox. But they're going to ask for those permissions anyway, because when an app is the only way to use a sufficiently popular service, people will grant them.
It is much easier when being nice is enforced by a third party - in other words, the webpage might have an interest in taking all your cycles, but the browser app has an interest in the opposite (battery life and whatnot). So far, this seems to work well - for all the gripes of FB Messenger taking all the CPU and requiring every permission in the known universe, the FB mobile web gets adequately sandboxed by the browser.
(I am aware that the Android app model has also promised some sandboxing, but apparently even in a low-permission mode, the protection seems to be rather anemic)
As web applications get more powerful, they will become a greater and greater source of the issues that currently plague mobile apps.