Claude Desktop looks like an upgrade over the browser version. It has MCP servers, Cowork, Computer Use, Desktop Extensions. Features the web version simply doesn’t have. But after looking closely at the security implications, I decided the web version is the better choice for me.
What Claude Desktop adds over the web
The Desktop app is not just a packaged version of claude.ai. It adds several capabilities the browser can’t provide:
- MCP server connections that give Claude access to your local files, databases, and external tools through a persistent protocol
- Cowork, an autonomous agent mode running in a VM that can mount your local folders and execute multi-step tasks
- Computer Use, which lets Claude control your screen, open apps, and interact with your desktop (research preview)
- Desktop Extensions (DXTs), a plugin system for extending Claude’s capabilities with third-party tools
- System-wide hotkey (Alt+Space) to summon Claude over any app
Chat, Projects, models, context window, web search, and artifacts all work identically in both versions.
The security problem
Every extra Desktop feature is also an extra attack surface. The core risk is prompt injection: malicious instructions hidden in files, websites, or documents that Claude processes. In a plain chat interface, the blast radius is limited to a bad response. When Claude has access to your filesystem, network, and screen, the blast radius is your entire machine.
A few things that gave me pause:
Desktop Extensions run with full system privileges. Unlike browser extensions, DXTs don’t run in a proper sandbox. Security researchers found that a malicious calendar event could trigger arbitrary code execution through a DXT, rated CVSS 10/10. Anthropic declined to patch it, saying it falls outside their threat model.
Every MCP server is a new attack surface. Audits of the open MCP ecosystem found that over a third of agent skills have at least one security flaw, with 13% containing critical issues including malware distribution and exposed secrets.
Computer Use runs on your actual desktop, not in an isolated environment. A successful prompt injection here means an attacker could control your screen.
Cowork runs in a VM, which is better, but it still reads your local files and can browse the web with your session cookies.
Why the web version is enough for me
I don’t use MCP servers, Desktop Extensions, Cowork, or Computer Use. My development workflow is built around Claude Code CLI running in Docker sandboxes (sbx), which gives me proper filesystem and network isolation at the OS level. Claude Code in a sandbox can’t touch my SSH keys, can’t phone home to an attacker’s server, and can’t escape to modify system files.
For everything else (research, writing, brainstorming, planning) the browser chat does the job perfectly. Same models, same context window, same features. No additional attack surface on my machine.
The iOS app is the safest option
Claude on iOS is essentially the web version running inside Apple’s standard app sandbox. No local code execution, no MCP servers, no filesystem access, no computer use. The only agentic feature available is dispatching Claude Code sessions to run remotely on your desktop, but that’s an explicit choice, and execution happens on the other machine.
If you just need to chat with Claude on the go, the iOS app has the smallest possible attack surface.
My setup
- Claude Code CLI in Docker sandboxes for all development work. Filesystem and network isolation enforced at the kernel level
- claude.ai in the browser for everything else: research, writing, planning, conversations
- Claude iOS app when I’m away from my desk
No Desktop app needed. No unnecessary privileges granted. The web version gives me everything the Desktop chat does, without the security baggage of features I don’t use.
The principle is simple: don’t install capabilities you don’t need. Every feature that lets an AI act on your system is a feature that can be exploited. If your agentic work is already sandboxed elsewhere, the browser is the more secure choice.