New push subscription MUST have an endpoint that's different from the original

[collimarco]

When a push subscription is refreshed, I assume that the new push subscription is a completely different object, with different endpoint and different keys.

Having a guarantee that all subscription fields (endpoint and keys) are immutable, allows an application server that stores the subscriptions in a database to mark the fields as immutable and thus protect the integrity of subscriptions.

I think that the behavior is already correct in the browsers (do you confirm?).
However, you need to clarify the sentence in the standard to make it more explicit:

https://www.w3.org/TR/push-api/#subscription-refreshes

When this happens, the user agent MUST run the steps to create a push subscription given the PushSubscriptionOptions that were provided for creating the current push subscription. The new push subscription MUST have [[an endpoint and a key pair that are]] different from the original subscription.

[[Bold]] is mine, it's the change.

[collimarco]

Seen from another perspective: if the key pair changes, also the endpoint MUST change. Having the same endpoint, but different keys at different times, would be extremely confusing and error-prone (I don't think that browsers are doing this, but it's better to clarify that in the standard).