missing-root If you install an app, the code is checked kind of, once. I guess the playstore makes some kind of virus scans?
Not only that, you have an OS-backed root of trust when you use the Play Store on GrapheneOS as it is available from the GrapheneOS app store. The Play Store also has security metadata to verify that the app you are installing is authentic. Aurora Store does not verify this metadata so you can't be sure the applications you install from Aurora are authentic without manually checking their certificate hashes
missing-root But apps have way more attack surface and capabilities than browser tabs.
This is true. Apps expose the OS to more attack surface compared to a web app. Ultimately, it's a threat model thing but it makes a lot more sense to use native apps for services that use encryption rather than a web app. It's fine to use the Uber web-app for example rather than the native Uber app for attack-surface reduction and better privacy too.
missing-root Encryption works fine in the browser, see Element Web.
Sure it works fine but you're still trusting the server, which is not ideal. Of course, Element should not be used for E2EE chats anyway and one should use Signal or SimpleX instead but this is off-topic. It's fine to use Element Web if you'll be chatting in public rooms because public rooms are not E2EE.