There is also a practical problem here. The people who get socially engineered into installing malware are usually not the same people who know how to dig into Developer Options in the first place. Meanwhile the users who rely on sideloading as part of their workflow alternative app stores betas region locked apps or open source tools are exactly the ones who will feel this pain constantly. You are effectively raising the cost of an already legitimate use case to maybe slightly inconvenience attackers.
The other concern is precedent. Once the norm becomes that sideloading is possible only through an advanced flow timed lockouts and central verification lists it is much easier to justify the next restriction. At that point regulators antitrust authorities and even enterprise customers should start paying close attention because this looks a lot like soft enforcement of a closed ecosystem while still being able to claim technical openness.
A healthier approach would be layered security rather than gated access. Clear and honest warnings up front permission scopes that are actually understandable and behavior based malware detection on device and in the cloud can all make users safer without turning sideloading into an obstacle course. Let people opt into power user features without making them feel like they are breaking parole.
There is also a practical problem here. The people who get socially engineered into installing malware are usually not the same people who know how to dig into Developer Options in the first place. Meanwhile the users who rely on sideloading as part of their workflow alternative app stores betas region locked apps or open source tools are exactly the ones who will feel this pain constantly. You are effectively raising the cost of an already legitimate use case to maybe slightly inconvenience attackers.
The other concern is precedent. Once the norm becomes that sideloading is possible only through an advanced flow timed lockouts and central verification lists it is much easier to justify the next restriction. At that point regulators antitrust authorities and even enterprise customers should start paying close attention because this looks a lot like soft enforcement of a closed ecosystem while still being able to claim technical openness.
A healthier approach would be layered security rather than gated access. Clear and honest warnings up front permission scopes that are actually understandable and behavior based malware detection on device and in the cloud can all make users safer without turning sideloading into an obstacle course. Let people opt into power user features without making them feel like they are breaking parole.