What's fantastic about not even having the option? What's fantastic about having to pay $100/year or reinstall your apps once a week, in addition to having Apple MITM any notifications?
Push notifications in the way that phones do it are necessarily platform and service specific.
You don't have to allow Apple to MITM your push notifications BTW. Just send a generic ping to your app, and when it wakes up pull the actual content from your server and display the notification.
As a user I don't want push notifications from websites.
I know there are some exceptions (like messengers), but really, those should be apps because Apples centralised push messaging system is better for my battery life.
But there's no such an easy way to enable a feature you need, but which wasn't implemented.
I _do_ _not_ want it.
I do not want it to be expected.
I do not want it to be assumed.
I do not want to have to configure anything.
_I DO NOT WANT IT_
A better option would be for users to be able to select alternate push servers.
I mean, I know why nation-state attackers love them - it's super easy to exploit them, and once you do, you have full access to everything in the user account (including all browser login sessions). But what's the advantage to users?
Not on mobile.
tl;dr: The exploitation was indeed done through apps. The OS itself is harder to exploit, but most apps are not as secure and provide the first foot-in-the-door for the attacker.
But I am still convinced that having a myriad of different apps, most of which are developed without real regards to security, makes the attack surface much larger -- e.g. you are likely to find a popular exploitable app that already has legitimate access to user data (such as "all the time" location data, contacts, calendar, ...) - as NSO did with whatsapp.