An app can probably be more trusted, but the more concerning one is a script on a website. A user can be tracked inside an app by many more reliable mechanisms, so the only benefit to apps. in using this is to try to track a user after they've deleted an app and reinstalled it. Concerning, yes, but not a very frequent thing to do. Meanwhile, sites that can fingerprint via scripts are much more worrying. If it takes a second to do that, lots of sites will do it successfully. If we can extend this to a minute, fewer sites will bother and plenty won't get a chance to finish before the user closes it. Still, I think the best way is to deny sites access to those measurements. If a thing needs those, they can write an app.