Yeah, but if you request webUSB access maliciously to some random device, an unsavvy user is likely to click ok without thinking about it. Its still very much a viable attack vector.