There are a few places where the install-from-repository model fundamentally works better than the web model, or could work better if the repositories did a little better. One of the big ones is: when I download software (or load a webapp), I want to be sure I’m getting the same software/webapp as everyone else is. A webpage with a sandbox-escape vulnerability can serve malicious code to high-value target users, and avoid serving it to security researchers; whereas with something like apt-get or the Play Store, that sort of thing is much more difficult.
A repository/appstore also makes it feasible to refuse updates. A prototypical example of when you want this is illustrated by a recent Play Store security incident with a barcode scanner app: something which (1) doesn’t have significant untrusted-network-data exposure so it isn’t likely to need security updates, (2) has little room for actual improvement, and (3) is at risk of being taken over by a malicious actor, or its developer deciding to monetize it in a way that makes it worse. (I have Play Store auto-updates on my phone globally disabled for this reason, and am quite bothered by the inability to control auto-updates on a per-app basis. Chrome has a builtin outdated-version detector that will warn if using an insecure version, but most other apps with network exposure do not. So this is trading some RCE risk in order to reduce malicious-developer risk.)
There are a few places where the install-from-repository model fundamentally works better than the web model, or could work better if the repositories did a little better. One of the big ones is: when I download software (or load a webapp), I want to be sure I’m getting the same software/webapp as everyone else is. A webpage with a sandbox-escape vulnerability can serve malicious code to high-value target users, and avoid serving it to security researchers; whereas with something like apt-get or the Play Store, that sort of thing is much more difficult.
A repository/appstore also makes it feasible to refuse updates. A prototypical example of when you want this is illustrated by a recent Play Store security incident with a barcode scanner app: something which (1) doesn’t have significant untrusted-network-data exposure so it isn’t likely to need security updates, (2) has little room for actual improvement, and (3) is at risk of being taken over by a malicious actor, or its developer deciding to monetize it in a way that makes it worse. (I have Play Store auto-updates on my phone globally disabled for this reason, and am quite bothered by the inability to control auto-updates on a per-app basis. Chrome has a builtin outdated-version detector that will warn if using an insecure version, but most other apps with network exposure do not. So this is trading some RCE risk in order to reduce malicious-developer risk.)