Every webview on iOS is Safari internally. The issue is if an app presents a webview, they can inject whatever javascript they want. This is what allows frameworks like Ionic to work in the first place, the webview runs the "app" and any interface back to the OS is communicated through a bridge to the native world.

Safari webview (WebKit) is what it's describing

The key aspect here is that Instagram's app is using a Safari Webview but somehow it is injecting its own tracking pixel on the HTML body wether the target website had it or not.

Which honestly does not surprise me, what surprises me is that Apple allows this. I think there was a time where certain Javascript capabilities were present in Safari but not in Safari Webview and there was certain outrage.

Perhaps a solution would be to run the webview through Safaris content blocker engine?

To what? Disable the ability to inject JavaScript into the web view?

Yes. Is there a legitimate use case for injecting arbitrary Javascript by the native app? (Honest question)

Apps that use html for their UI and JS hooks to trigger touch ID, access the keychain etc.

Thanks!

its the same. any browser (or app otherwise) on entire system has to use it for web rendering