It's not the Sandbox between Safari and Bank of America app - its the sandbox within Safari between the Bank of America PWA and Some Game PWA at issue.
Does Safari, as the browser engine running PWAs have access to the data of multiple PWAs?
If so, and Apple has good security - that's not a problem.
However, if Safari does have that access to multiple PWAs local data, and a different browser engine is used and also needs access to multiple PWAs data stores in order to be able to run them, what can Apple do to ensure that one PWA can't break out of its sandbox within the (as an example) Firefox PWA runner and access the data for another PWA?
If Apple cannot ensure that all browser engines have the rigorous design and/or history of security design and promptness of rolling out fixes when 0 days are discovered ... should Apple grant the additional security access for a 3rd party browser engine to be able to access the data of multiple PWAs?
If Apple should not grant that access because the other browser engines may not be as secure, then Apple (according to the law) must not grant its browser engine any favored position within the system.
The way to fill that requirement is to either figure out how to create additional sandboxes within 3rd party code so that PWAs running within FireFox cannot break out of their sandbox to access other PWAs ... or remove the ability for Safari to run PWAs all together.
And you pointed out yourself ... "If Apple wanted to implement PWAs correctly," - they apparently didn't implement PWAs correctly and are using sandboxing within Safari rather than sandboxing the PWAs and Safari combination at the OS level.
Should Apple invest the time to fix Safari and PWAs and 3rd party browser engines? Or given the low adoption of PWAs, is it less work and better security, and only a marginal loss of functionality to remove PWAs from Safari?
Does Safari, as the browser engine running PWAs have access to the data of multiple PWAs?
If so, and Apple has good security - that's not a problem.
However, if Safari does have that access to multiple PWAs local data, and a different browser engine is used and also needs access to multiple PWAs data stores in order to be able to run them, what can Apple do to ensure that one PWA can't break out of its sandbox within the (as an example) Firefox PWA runner and access the data for another PWA?
If Apple cannot ensure that all browser engines have the rigorous design and/or history of security design and promptness of rolling out fixes when 0 days are discovered ... should Apple grant the additional security access for a 3rd party browser engine to be able to access the data of multiple PWAs?
If Apple should not grant that access because the other browser engines may not be as secure, then Apple (according to the law) must not grant its browser engine any favored position within the system.
The way to fill that requirement is to either figure out how to create additional sandboxes within 3rd party code so that PWAs running within FireFox cannot break out of their sandbox to access other PWAs ... or remove the ability for Safari to run PWAs all together.
And you pointed out yourself ... "If Apple wanted to implement PWAs correctly," - they apparently didn't implement PWAs correctly and are using sandboxing within Safari rather than sandboxing the PWAs and Safari combination at the OS level.
Should Apple invest the time to fix Safari and PWAs and 3rd party browser engines? Or given the low adoption of PWAs, is it less work and better security, and only a marginal loss of functionality to remove PWAs from Safari?