If a web browser has a sufficient bug to allow access to webusb without permission in an exploitable way, it's probably also exploitable enough that even without webusb you'd have hardware access via RCE.