Not only would CSP block it, but this type of behavior only strengthens Apple's decision to not allow third party rendering engines. Could you imagine the privacy nightmare that would ensue if Facebook could release a browser that bypassed any and all safeguards implemented by site operators?

If it were only Apple's restrictions preventing this, why wouldn't Facebook release such a browser on Android?

External sources yes, preventing an app to inject inline HTML and JavaScript is tricky.

You can block all inline scripts via CSP.

That’s why I said tricky and not impossible.

MDN docs for Content Security Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP (for anyone unfamiliar with that browser feature that should in theory disallow injection for websites you control).

Strides have been made in web security, check out the permissions policy[0] along with COOP and COEP[1].

[0] https://www.w3.org/TR/permissions-policy-1/ [1] https://scotthelme.co.uk/enabling-coop-and-coep-reports-on-r...