Well it needs to be downloaded from the internet at least the first time, so it's intrinsically going to be less secure than an app that you can guarantee never connects to the internet.
Your app needs to be downloaded the first time too. In fact, a downloaded app can run riot on your filesystem. A web app runs in the "cage" of the browser, and is arguably more secure and explicit about permissions it requests.
"... can run riot on your filesystem"? Citation needed because an app is as heavily sandboxed as a web page running in a browser. An ios app gets no view into anything you as a user don't choose to give it (no access to photos, etc).
I mean, if you give the app access to your filesystem (which a lot of non-tech users would, almost without thinking), it can potentially access/modify/delete your files and folders. With PWAs, that's not really a possibility.
Has to come from somewhere. A pwa might have to come via http (I'm not sure) - but html+js+css can come from the (from a) filesystem too. Like an USB-c memory stick.
Or from an extracted archive (much like a native app).
No, it just has to run in a browser.