I prefer the experience of native mobile apps (and native desktop clients, too!), but I prefer the privacy and sandboxability of pure-HTML apps. If a site is going to add so much JavaScript that it's unusable without whitelisting it all, then I almost might as well just use a native app.

If Android had ever-so-slightly better permissions, then the clear answer would be to stick with native apps, period.