This is retarded. If the requirement is that the user was fooled into a bad website and is being asked to install something, they are already owned.
Absolutely no reason to trick them into installing a PWA of the same phishing site they were already fooled into using.
It does make the threat more persistent than a one off visit to the site, that they may more easily notice the second time.