Your users don't care whose fault it is. Your app isn't working. You can choose to cut those users off, and that's totally an option...sometimes.
Mac users are probably a little more tolerant of this than non-Mac users, because of the general upgrade treadmill, but whether you can get away with it is a question only you can answer for your app.
That's still a very different class of problem from a CVE break of a single-point-of-failure is the point. Someone decides to use your Electron app's old Chromium build and a known CVE in it as a target vector for infecting or remote controlling user's machines is a very different problem from "because we are using system webviews this small CSS/JS feature doesn't work in this version of macOS, please upgrade". Even if the user rightfully blames you the app developer for both issues and doesn't allow you to point fingers upstream, one is a severe security threat that can destroy entire brands and the other is "mere tarnish" on a brand. (I know which class of problem I'd rather deal with, given the choice here.)
Mac users are probably a little more tolerant of this than non-Mac users, because of the general upgrade treadmill, but whether you can get away with it is a question only you can answer for your app.