It's not to protect the user; it's DRM. Using a non-rooted phone means all apps get DRM for free. You can't simply press 'record screen' when the software sets a flag; you can't view the data that the app processes about you or make backups thereof; you can't control what the device does such as skipping any checks. Fraud detection and CAPTCHAs rely on security through obscurity.

> if someone is technical enough to root his phone he understands the risks

You're looking at this from the user's perspective. Indeed, the narrative is "for your safety, you cannot export your security tokens from your device's storage" or "software that runs as root can bypass all permissions, an attacker might exploit that!", as though users can't make that choice themselves on purchased-to-own hardware. Dropping privileges (https://en.wikipedia.org/wiki/Privilege_separation) has been a thing since as long as I'm alive. Don't be fooled that this "protection" is for you :(