I think if Apple locks down MacOS enough to actually protect users (not just continue the platform's illusion of superiority) you'll know because ISVs will all say it's impossible to get anything done and abandon the platform.

It's very hard to have a platform that's locked down enough to keep people truly safe as this assumes, while keeping it viable for general purpose third party software from ISVs.

I actually ran into one of the corner cases for this recently. Say you own a Yubico Security Key. With any decent web browser you can use this with WebAuthn or U2F and it's unphishable. But, the Security Key itself is relying on your web browser being honest about the origin.

On an iPhone there is only one web browser, Apple made it, everybody else can only re-skin it a bit. So, no problem, Apple's web browser is honest and any third party software that says "Hi I'm your web browser, I need to sign into google.com" does not work, it isn't your web browser.

On a Windows PC, or a Mac, any program can say it's a web browser, if you're foolish enough to install ZoomUpgrade.exe it can tell your Security Key "I'm a web browser, give me credentials for google.com" and that works, the OS has no way to know if this is or is not a web browser.

Android gives you an interesting middle case. Not only Chrome but also Firefox works. Ah, but only the official Mozilla builds of Firefox. If you build Firefox, name it "Netsharc 1000" and try to install it on your Android, it mysteriously can't do WebAuthn. As well as all those Android permissions you can ask for in the manifest, and the ones you have to ask for explicitly at runtime, there are extra permissions only the platform owner (Google) can grant, and official builds of Firefox have the "I'm really a web browser" permission which allows them to use the Security Key for web sites.

I'd bet a lot fewer people install browser extensions than install Zoom. Security isn't about absolute protection but about making things ever more difficult to exploit.