There are some legitimate use cases for them, but generally I think web push permissions are best defaulted to “no” so sites can’t harass users with fake, “we need to maintain the ability to harass the users again” in app prompts.
Every request for notification permission is best defaulted to No. It shocks me how eager people are to opt-into getting spam and other junk alerting on their phone.
Many people don't even read pop ups and just click the button that stands out to them. It's pretty wild to see.