I can only speak to the Mac situation, but most people there would not have "root" in the traditional sense:

* Pedantically speaking, you can not even log in as root, any root level access would have to go through sudo (which is indeed enabled for most users).

* But additionally, even as root, Macs by default have System Integrity Protection enabled, which makes most system files non-modifiable. Users still have full control in that they CAN disable System Integrity Protection, but that involves a reboot and some (documented) command line commands, so most users don't bother doing that.

> I'm career IT support. In the entire age of smartphones, 100% of the malware/crapware I've seen was on non-rooted devices - most of it pushed on users by manufacturers, carriers and OS devs.

To add on, almost all the money people I know who have lost to scams have been through non-rooted devices. Sending an OTP or making a bank transfer because "you're under police investigation" is cheerfully easy even without the user knowing what "root" is.

Also see: the recent phish on Krebs (on security). A malicious email and entering a password to a webpage does not need root access, for better or worse. In fact, a rooted device might block your bank app, actually making money transfer scams tougher, ironically.

"I accept this metric. It means non-rooted devices are unsafe."

Same here. It's manufacturers and software vendors such as Google and Microsoft that we need to most guard against.

Fully agree wirh your second paragraph, I've only seen viruses on non-rooted devices and I've never had a virus on any of the many rooted phones I've owned over the years.

Sure there are viruses and they can be troublesome but when you look below the surface much of the hype about locking down one's devices comes from manufacturers and software vendors, Google, MS et al, who benefit financially from not allowing users to control what runs on their phones.

It's not only phones, what Microsoft has done with TPM and Windows 11 and the deliberate obsoleting of millions of perfectly good PCs/forcing users to buy new hardware when it's unwarranted is simply outrageous.

Microsoft ought to be sued for committing environmental vandalism. …And that's just for starters.

The neat thing here is that we don’t have to make uninformed speculation about this, we can just look at how it worked in the past. Anyone who did family tech support in the 2000s knew that every family visit involved removing all of the malware their relatives had installed – ESPECIALLY the ones who “knew” what they are doing! – and it was even odds that you’d see stuff like that on computers at businesses, libraries, banks, etc. All you had to do was say it’d improve system performance, give them free coupons or porn, and they’d trip over themselves to install it. This is why iPads and ChromeOS devices became so popular because everyone who actually knows how to use a computer safely knows people who say they do but absolutely do not.

It’s also important to learn how the modern abuse industry works. Since the 2000s, malware has grown into a multi-billion dollar highly professional industry used by governments around the world and the scammers have professionalized as well. You should look at some of the YouTube videos of scammers social engineering people into giving them remote access, approving bank MFA challenges, or talking them into making cryptocurrency purchases - and while we might sneer and say they’re uneducated or careless, most of them are distracted or old, just like most of us will be some day. If there’s a prompt, millions of people will approve it and if it means their device can no longer be trusted that’s a lot of money and e-waste.

I don’t like any of this. I want to have root on every device because I grew up with unfettered PCs (first installed Linux .9 using a disk editor, etc. etc.) but the landscape has changed since then. We can’t pretend otherwise, but we could call for regulation to balance the interests of owners and device manufacturers just as we allow people to customize their cars without giving up the concept of safety or emissions testing.

20 years ago (2003-2006), Welchia, Blaster, Code Red... Windows boxes that weren't patched were infected within about 35 ± 5 seconds when connected to lightly-filtered Internet when it was still a capitalized proper noun. Ask me how I know and used JScript and psexec to mass remote into LAN machines to try to stop some of the madness and downtime.

Spoken like someone who knew no one other than fellow practitioners in the field. My God, the 2000s were the Wild West in every kind of way - were you even there to see it? I note you do not say that you were.