Unlike with iOS or Android, in HTML5 invasive APIs (including notifications) are all opt-in. Each permission is granular, instead of needing to choose between granting all permissions an app requires or none. IMO this is a massive improvement.
Although you could grant notification access to an app and then it could become a bad actor, I expect on the web you will be able to be far more choosy about granting access than with an app.
I believe Android is doing something to bring in granular permissions, there was discussion at Google I/O this year.
Push notifications are opt-in and granular on iOS as well. You are prompted to approve each permission for each app, push notifications, location services, access to contacts, etc.
Although you could grant notification access to an app and then it could become a bad actor, I expect on the web you will be able to be far more choosy about granting access than with an app.
I believe Android is doing something to bring in granular permissions, there was discussion at Google I/O this year.