> I'm career IT support. In the entire age of smartphones, 100% of the malware/crapware I've seen was on non-rooted devices - most of it pushed on users by manufacturers, carriers and OS devs.

To add on, almost all the money people I know who have lost to scams have been through non-rooted devices. Sending an OTP or making a bank transfer because "you're under police investigation" is cheerfully easy even without the user knowing what "root" is.

Also see: the recent phish on Krebs (on security). A malicious email and entering a password to a webpage does not need root access, for better or worse. In fact, a rooted device might block your bank app, actually making money transfer scams tougher, ironically.