His phrasing is very confusing - claiming the "from" field was spoofed, but that if he could see the "full header", he could have spotted the spoofing.

I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.

So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?

It could indeed be that some MUAs only display the comment section. In theory you can use a MIME from like '"Google <google@google.com>" foo@example.com'. Though most spam filters heavily frown upon garbage like that. Things like '"Foo (google@google.com)" <foo@example.com>' will likely pass though. (It's commonly done by shit forwarders.)

Apple Mail does allow you to see the actual sender if you tap on the name though. Outlook has been way worse in that aspect, by not letting you see the full sender. At some point it even saved these fake addresses automatically in your address book if it matched a contact's name or something. (I couldn't find the thread about it right now, but it has been discussed elsewhere.) It's a disservice to everyone except attackers to be honest.

On obvious spoofs I see "legal@gmail.com <via scamdude@askjdfaskldfj.net>". I think he means that it didn't indicate the latter. And if gmail phone app didn't fail to display headers he could have looked