One thing is that on mobile OSes (iOS and Android), the apps are sandboxed. It is wrong to say that they are not, I don't know what people believe. Programs are typically not sandboxed on desktop OSes (though they can be, but the user has to do something about it), but on mobile they most definitely are. That's part of the reason why the security models of iOS and Android are better than desktop OSes.

Just like you don't have to give access to your filesystem to a webapp (but you can), you don't have to give this access to an app.

The reason to like webapps better than mobile apps is, IMO, not security (again, IMO it's worse in terms of security). The reason could be that they want to rely on an open source tech stack (which iOS does not provide, but Android does!). But really my feeling is that it's often either uninformed or political (i.e. it feels like a strong statement against Google to refuse Android apps?). Which again is weird to me because Google controls the browsers development (via Chromium) just as much as they control the Android core (AOSP). People who are happy with chromium should be happy with GrapheneOS, I would say.