If you look at how much their demos in their gallery downloads, it's in the hundreds of kilobytes on average. Granted these are not full web apps but even still it's roughly on par with the latest web app framework's demos.
Actually, I don't think they state that is the only way they find content. I've had plenty of sites with obscure domain names for development and they always seem to find their way on to Google some how.
I imagine in addition to public URLs they also use URLs entered into Chrome (which isn't that public) and since they host DNS they probably crawl domain names requested through them too.
Legally I'm not sure what they stand on to do that but they're big enough now so I guess they don't worry too much about that nowadays.
Its Symantec, they run AV on thousands of computers across the globe. All the events generated from these computers get sent to them. Removal/cleaning procedures would be one of those events, probably for this very reason (i.e creator gets sloppy, installs and then uninstalls on their own machine).
Although I'm not sure I would use this, this is the kind of stuff I've been waiting for. Where nice clean containers are used as part of an active dev cycle rather than just the production push.
The ultimate dream of the end user using a desktop comprising only of containers seems to be still a bit far off yet...
I'm not saying its a bad idea, just that this direct path in implementation is.
There are many other (better) ways of implementing it, like the Mozilla light sensor API. If that doesn't satisfy you, you should create a new spec for light sensors combined with a practical implementation and then push W3C to use your spec over Mozilla's.
At the moment, nothing in a browser is direct access. Everything is abstracted, which includes the filesystem and geolocation. This provides a layer of security against massive horrible bugs in the OS. With WebUSB there seems to be very little abstracting, all the values you pass to it are then sent on to the device. Small bugs once protected by numerous layers of security usually requiring superuser abilities are now made massive as they are connected to one of the largest fuzzers there is, the internet.
I don't think direct access to USB devices like your suggesting is a good step forward if for nothing other than practicalities. Think about how many individual USB light sensors your websites would have to support to enable this small feature and the amount of low-level code in such a high-level language. Abstractly thats a great idea but could as easily be added with an addon or browser extension.