Not entirely true. Browsers are paranoid by default (because visiting a website is as easy as clicking a link). Operating systems aren't (because the user explicitly installed an app, it's been "vetted" by app store experts, and because... well, the OS vendor wants you to build native apps and not a website, so they have to make it worth the extra trouble of building a separate app for each platform instead of one website that works everywhere).
Also, browsers tend to bring their own sandbox (on top of what the OS already does). For example, Chromium was able to mitigate Meltdown/Spectre before OS vendors shipped an update (except on iOS where browsers can't bring their own engines, so iPhone users had to wait for Apple to ship an OS update...)
Again why would you think Apple the browser maker would be any more or less careful about Safari not allowing websites to access your camera, GPS, photos than Apple the operating system maker?
No one thinks that app review is what stops malicious apps from circumventing permissions. It’s the operating system itself.
And you really don’t want to compare the state of iOS updates to the state of Android updates do you?
Also, browsers tend to bring their own sandbox (on top of what the OS already does). For example, Chromium was able to mitigate Meltdown/Spectre before OS vendors shipped an update (except on iOS where browsers can't bring their own engines, so iPhone users had to wait for Apple to ship an OS update...)