For example, GMail app uses WebView to view emails in a very safe way. The major risks comes from loading arbitrary 3rd-party content into your WebView.
System browsers deal with this problem by sandboxing web pages inside separate processes, so even if the page code exploits some security vulnerability of the rendering engine and gains control over it, it still would not be able act on behalf of the System browsers. WebView is single-process, so any security vulnerability in the renderer engine practically grants any malicious code the same rights as your application has.
The preferred method is to make use of the External User-Agent