Browsers support PWAs on the desktop platforms without there being a security nightmare, and while I'm sure there are some permissions that could be a problem, things like the camera and microphone are managed on the desktop without issue.
Is there some flaw in iOS that makes it harder to secure than the desktop?
iOS was never conceived of as something which would run arbitrary code that could access system-level data (the siloed data). So basically the situation exists by design, and in order to achieve security when enabling PWAs from other browser engines, they'd have to add another layer of security that currently doesn't exist (since they never had to trust anyone's code but their own).
So... yes, there is apparently a lack of security there, but that's because the layer in question was never intended to be anything but proprietary until this ruling.
Is there some flaw in iOS that makes it harder to secure than the desktop?