That's irrelevant. Both local apps and web apps are subject to supply chain attacks. The difference is that a local app that has had a supply chain attack carried out can read my documents, my private keys, my photos, etc; a web app that has similarly malicious code cannot do any of that. The browser protects me because it has a sandbox.
I also do not understand why you refer to "trusted web app" whereas in my comment above I have stated that I need a sandbox to run the code; I clearly don't trust it enough. The whole point is that the browser allows me to run untrusted code safely. And supply chain attack is one of the main reasons why I don't trust it enough.
> Web apps have a magnitude more dependencies than desktop apps
Irrelevant. As a user I do not care how many dependencies an app has. I care about my own data security and browsers have an excellent sandbox.
> Because you referred to apps stealing code from a different origin
I referred to apps stealing data from a different origin. Think my open web mail tab containing my email. That's an attack that browsers can prevent.
> I talk about the app you use to access the usb device per web usb.
That's what is supposed to happen. I explicitly want this vendor app to talk to vendor hardware.
> Previously it was about a malicious app attacking per browser exploit.
A malicious web app needs a browser exploit to access my data which costs millions of dollars on the black market. A local app does not need any exploit to access my data.
> the app is allowed to access the data but because of the supply chain attacks your data gets stolen
The app is never allowed to access my data. It doesn't matter whether supply chain attacks are involved or not.
Do you know if your trusted web app fell for one?