> Can Apple disable push notifications if the website [] and is actively []

No, and previously you could add a hacked website to your homescreen and Apple couldn't stop you from doing so. Not speaking for the other features, but the webpush api provides no mechanism to steal info as much as it provides a way to alert a user who previously installed the app and allowed notifications that the app is sending them a notification.

Now, if after the user installing and allowing, the site gets "hacked", the hacked site operator could send push notifications that invite the user to interact with the compromised web site/app. Apple has no recourse; the pressure would have to be applied to the hosting service to shut down the site. That's a tall order for your average web user.

On iOS you get asked the first time an app tries to show you notifications and it's very easy to disable them after the fact too. Since PWAs are just apps you add to your homescreen nothing will change in this regard.

As an aside, how would a notification steal your info?

> As an aside, how would a notification steal your info?

How about:

“Hey dear user you won {amount} of money please click here and fill this totally safe form”

This was me thinking for a solid 3 seconds, imagine if someone put some effort into the message.

This is not a threat model that's unique to PWAs though, nor in any way enabled by what's seen here. Installing a PWA is practically equivalent to installing an app and a malicious app or an app that had their OneSignal or similar credentials compromised could do the exact same thing.

Apple can disable push notifications from a compromised app.

It's unclear if they can do it for a compromised website, which was my question above.