We really need to banish the term "sideloading". Installing apps on a terminal is just that, and for as long as I remember on windows, Linux it has always been just that.

Google mentions about being on a call, and being tricked into handing over codes. So why not use signals and huristics to decide?

If user is on a call, block any ability to install a shady app. Implement a cool down before that functionality is restored (say 24 hours). It can also detect where the user is based to add additional protection (such as mandating the use of play protect to scan the app before it's activated and add another cool down regardless).

There's lots of ways to help protect the user but it's wrong to ultimately control them. The real world is full of scary dangers that technology is trying to solve but is actively making things worse (such as computerized safety systems in cars).

Ultimately, the user is responsible and whilst it's palpable Google would want to reduce harm in this specific way, we know authoritarian governments would also love to be able to dictate what software people can run. The harm to democracy is simply too great in favor of saving a few people's money.