If an app loads remote content submitted by other users of the app, then attack surface for remote code execution vulnerabilities could be there. The most common example is instant messenger apps having zero-click exploits thanks to malicious attachments with payloads that the app automatically parses or loads.
These attacks are highly sophisticated (the ability to be able to do them is sold on bounty sites for millions of dollars) with the amount of targets usually being in the hundreds. It isn't a concern for most people and you are not a significant target.
This also depends on a malicious actor knowing who you are to send an attachment. For the attacks you're talking about, the device is compromised, not the app. All Apps need to be signed by the real developer to be an accepted update on the OS, it would need to have been a phishing app, the signing key of the real app compromised or the developer was intentionally malicious from the beginning.
For your example of attack, it wouldn't really be something typical of what someone would try to do with this, and it would show signs of compromise even if subtle. For example, if you're using a password manager to log into a service, why doesn't it recognize this fake web login page as a real one?
Native Apps look very different to web pages and webviews. With such kind of an attack they have a lot of access in different areas so there's no need
