I think Android's "custom tabs" functionality is a great compromise. Apps can open a separate instance of the user's default browser which becomes part of the app's activity stack and doesn't share tabs with the main browser instance. However the UI and navigation are controlled by the browser, not the app. Cookies and local storage are also shared with the main browser instance, allowing seamless SSO without the app being able to intercept the secrets.

AFAIK iOS supports something similar, but only for authentication use cases.