There are many real-world sideloading abuse cases in China. Attackers often trick victims with plausible stories—e.g., claiming a flight is delayed—and ask them to sideload an app (a remote‑meeting or remote‑control tool) to share their screen. Once installed, the attacker can view the victim’s screen and intercept SMS 2FA codes for online banking or other sensitive accounts.

Other schemes include impersonating sex workers to lure victims into nude video chats, then persuading them to install an app that harvests private content and contacts for blackmail.

> intercept SMS 2FA codes for online banking

Google should just ban all apps that use SMS 2FA codes for login.

Why should that mean anyone else should lose control of their device? Maybe at some point you have to accept that it's the user's responsibility? Maybe empower users to be aware of what the apps they install are doing, without take their control away?

This is how loss of autonomy always happens in every sphere: make an argument that it's for their own safety that individuals are losing autonomy, and the entity gaining control is superior in knowing what's best, and is taking control only out of the goodness of their heart.

What's the Android situation there? Last I heard Google didn't license Android there and they were using Chinese app stores with forked AOSP Android. Which would seem to put the sideloading decision in the hands of the forked OS.

These unfortunately gullible people would be tricked in many different other ways throughout their daily lives even if it wasn't for the ability to install something on a device that you paid for and outright own.

We don't cater the most stupid in society.

Yes, this is called malware and isn't the fault of being able to install software on your device.

If someone tricks you into handing over the keys to the kingdom, the solution isn't to remove your door.