PWA is simply a web app with special config for mobile browsers. Each PWA is as safe as the author creates it. Timechain Calendar is not the best reference for assessing “safety” of PWA’s as it is a purely client side data display site. There is no backend, no user accounts, nothing needing to be secured. There are plenty of other web apps that do all kinds of sensitive functionality and financial features quite securely.
Discussion
Everything is fine with timechaincalendar! Great app and I use it all the time, thank you! I just gave it as an example as a PWA. It's fine for an app like this.
What I meant about security is that not all applications will be able to be implemented as PWAs from a security perspective. Especially those that work with users data and funds. Damus had a web version in the early days but it was shut down due to a vulnerability. That’s an example.
We've been talking about leaving Apple's app store for the last few days (I'm not in favor of that) and if PWA is presented as an alternative, then I don't agree with that statement. Maybe partly.
I still argue that a PWA does not mean worse security than a native app. There are all kinds of web apps that deal with fortunes of money and peoples most sensitive info. The security is a function of the engineers and software architects. Conversely native does not guarantee secure for the same exact reasons.