Security is very hard. You need carefully constructed apps with carefully chosen dependencies, and generally you want the number of lines of code to be very small.
Anything webkit based is going to lose on all of those points almost immediately. Anything nodejs based is also going to lose on all of those points, because nodejs has a culture of massive dependency stacks run by whomever. Javascript in general is a pretty insecure language, unless you are using explicit subsets but even then javascript has a horrible reputation for security.
Something is better than nothing. I'd rather people use Telegram (pretty well known for terrible crypto) than people use nothing at all. Same with Felony. I'd rather people use bad crypto than no crypto.
But in general it would seem likely that anything built on a webstack has a low chance of passing a security audit. The cultures surrounding the webstack technologies prioritize shipping product and doing cool things over shipping bug-free or secure code. It's one of the reasons that the webstack is so popular. It's easy, and if you ship something buggy it's generally not too bad to go back and fix it later, especially for something like a webpage, because your users will get your updates immediately.
