Apple doesn't want app developers to deflect responsibility of user data siphoning off onto third-party websites or parties. Think the contacts API - the user might grant the app access to it in general, but then facebook.com could try to access them via a special browser API; if there aren't any extra prompts within the browser's code asking for user permission, this could lead to the site siphoning off user contacts without the user knowing.