I reviewed many wallets for walletscrutiny.com and many use web technology for their UI. It's not exactly PWAs but if you offer a PWA website, it's easy to bundle that website into a "native" app such that the executable code can be audited and reproducible.

https://walletscrutiny.com/android/it.airgap.vault/ proves that you can have full transparency.

Now for nostr apps we need separate signing apps like we have browser extensions on the desktop as there is just too many irresistible web tools and pasting your private keys into all - or any - of them should be avoided. If we can separate the delicate signing and decryption, I wouldn't worry too much about using websites and their lack of pinning versions and auditing them. Yes, some tools leaking your chats would be a problem but it should be detectable and with limited impact once we avoid private key exposure to all these apps.