I have not seen enough discussion regarding supply chain attacks regarding WPA vs native apps.

On android (and I would be surprised if that's not the case on iOS too), apps are signed by its developers before being upload on the store. Developers with good opsec keep that signing key secured, and get it out only for signing releases.

Meanwhile, online PWA are hot-loaded directly from the server every time you open them, just like a website.

If I was a attacker wishing to hack into the distribution of a wallet app to rug its users, I would definitely have a look into WPA servers, for the simple intuition that I've seen way more websites - including popular companies - getting hacked than app distribution pipelines.

Unless I see good reasons to not fear the larger, faster and more accessible supply chain attack surface WPA have, I'm unlikely to ever trust them with anything sensitive.