web apps are fine if you use them in a sandboxed environment https://f-droid.org/en/packages/com.tobykurien.webapps/

and when encrypted at rest (when you switch to another app even if it can be made that way)

What is not so much okay, is when you're executing in the same environment as this: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/opec-1/Google-Chrome.html

I'd prefer even if you didn't use the same device as something that has spyware such as this: https://www.shopify.com/enterprise/cross-device-ad-targeting

but I know there's only so much you can ask of the normie. Best practice in my view, would be to have a channel with a more secure device that funds the less secure device (in person, not automatically) when you're ready to spend.

But android with all the google spyware can do a decent job of sandboxing (even if you have to create a work profile for your sandboxed app), I don't know much about Apple though.

According to the CVE page for safari, very little has been found: https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-2935/year-2023/Apple-Safari.html

Sometimes that just means there aren't many security researchers looking at the code though.