IOS and macOS security require each application who wants to have access to the camera, to get permission only manually. However, Apple's apps, such as Safari, have access by default.
Security researcher Ryan Pickren He discovered seven new vulnerabilities in Safari browser that allow an intruder to access camera, microphone or location a device, and in some cases had access to stored passwords.
Exploitation of camera access errors
"The page accepted this URL and reloaded the same content, which means I managed to change the document.domain using this simple trick."
So now the Safari browser believes that the connected site is skype9.0com. By opening the local file, attackers can execute a malicious script and gain access to the camera, microphone and screen sharing.
He also discovered another error (CVE-2020-9784 & CVE-2020-3887) which bypasses automatic download prevention in the Safari browser.
Using all of these vulnerabilities, one can gain access to a camera, microphone, or iOS / macOS location, and in some cases, stored passwords.