I think the issue with a traditional web app, is if they deliver one, they can be probably compelled by three-letter agencies to modify the app served to users or a specific user, to collect that user's information.

Distributing it as a signed desktop/mobile application makes it so they can't tamper with what users are running to be made complicit in attacking their users