The source code of the app is just an HTML file, no scripting involved. The buttons just have URIs which Damus is programmed to handle. An app on iOS can choose to handle its own URIs and do things on how they are programmed to handle the URIs. It's up to the app developer and the security is down to designing them to be handled properly and safely. App developers shouldn't program URIs that do extreme things when navigated to. The website is not actually changing anything, it's just Damus app behavior already built in. You could go to the source code, copy the URI in the anchor and put it in your browser bar for the same effect.

This can be done in Android apps too, but you won't see it done as often: