Most web3 applications will probably be more off-chain than on-chain. And I think that's OK.
Sufficiently decentralized technologies have a reasonably low cost of participation, a reasonably low level of censorship, and a reasonably low level of trust among actors.
What's reasonably low? It depends.
Take a look at how the web works today. Sufficiently decentralized – it may be difficult to become a domain registrar, start an ISP, or run your own DNS infrastructure (that others use), but anyone can create a website and host it on the web. You can post pretty much whatever you want, although it's not completely censorship resistant – remember when Cloudflare erased a Nazi group from the web in 2017 and 8chan in 2019? I think that's a good thing.
Our financial infrastructure isn't nearly as open. One of the Plaid co-founders spent $50 million to purchase a chartered bank just so that he could build a fintech startup with it. Of course, building programmatic financial products shouldn't be as easy as spinning up a website, but if it were a little easier, we might see far more innovation in the fintech stack from motivated hackers.
The SEC defined sufficiently decentralized in its own way:
But this also points the way to when a digital asset transaction may no longer represent a security offering. If the network on which the token or coin is to function is sufficiently decentralized – where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts – the assets may not represent an investment contract. Moreover, when the efforts of the third party are no longer a key factor for determining the enterprise’s success, material information asymmetries recede. As a network becomes truly decentralized, the ability to identify an issuer or promoter to make the requisite disclosures becomes difficult, and less meaningful. (2018)
Web3 infrastructure makes different trade-offs around sufficient decentralization. Some optimize for censorship resistance at the expense of a high cost of entry. Others double down on self-custody while eschewing any protections for their users. Some provide surface-level decentralization while having choke points that are even more centralized than their "web2" counterparts.
The answer is probably somewhere in-between: a low (free) cost to participate that democratizes access and basic protections to help users from shooting themselves in the foot.