The easiest way for a bad actor to get access to personal data on iPhone or Android is to simply ask for it --- create a junk installed app with some quasi-plausible excuse for requesting it. There is no restriction on what can be done with the data once the request is granted.
Granting a random app access to all your private data after they request access is very different than "There is nothing that actually prevents an installed app from collecting all your data."
I think the only sensitive APIs not available in the browser are calendar and photo gallery access, but PWAs have otherwise access to Contacts, GeoLocation, Cameras, Microphone, Clipboard, and even the FileSystem.
Maybe Android apps do suffer from the problem you’re describing, since permissions are granted lumped together at install time, but on iOS all permissions are optional just like in the browser.
PWAs don't have this problem.