Android and iOS apps tend to require "explicit" user permissions when installing them. I quote explicit, because it's really implicit: accept these terms or don't use the app.

How many people actually look at these before clicking install?

They're not fine grained enough to allow the user to weigh up the security implications of them, which leads to apps requesting every permission under the sun, or just outright refusal to use the app (by a small minority who know the script).

We can see how this will pan out in the browser: The browsers will initially offer the "allowed devices" set that is described here, but eventually users will find it "too confusing", and they'll reduce it to "Do you want to allow this website to access any USB device?"

The common user will get fed up of this popup appearing and the browser vendors will happily oblige by having an enabled-by-default option: "Allow websites to access my USB devices".

Then some giants (ie, google) will provide SaaSS to filter which devices can be accessed from which websites for you. Browser vendors will be quick to use this service, turned on by default, much the same way as they use google for anti-phishing and whatnot now without asking the user.