Novelty of the demo aside, whoever named Project Fugu did a great job. Eating around the lethal guts of a poisonous fish is precisely how I feel seeing libusb accessible by JavaScript.
What are the security implications? You only give acces to a specific device afaik. Is the attack surface of libusb too large? Why is it different then for example webcams?
Getting temporary access to video is different than getting access to upload firmware that changes how the webcam works.
It is also more abstract - the browser is not going to be able to enumerate the ramifications of what they are approving. Think a script which is asking for access to a YubiKey - there’s no way the browser can enumerate the various security ramifications of doing so, and the webpage itself may do so incorrectly (this is a reason that I believe Chrome deny-lists access to FIDO keys to WebUSB).
Finally, video access is a known quantity and thus gives opportunities to surface potential abuses in certain ways, such as displaying a colored ‘recording active’ indicator across tabs when the camera is in use, or providing a way to temporarily restrict video access without needing to find the application control option.
