I worked in fraud compliance architecture at a bank.. they didn't checkbox anything. They had a lot of gathered data and justification for the limits they enabled. I'm sure not every bank does it that way, but they weren't trying to limit legit customer access, and they pained at enforcing limitations like this.

Can you share what limits they did and did not impose?

Yeah I call bullshit. The number of people with rooted phones is going to be way less than 1%, and the number of those that are unsophisticated enough to fall for scams/malware is going to be miniscule.

This is pretty clearly a case of "oh there's an option here that says 'allow on rooted phones', do we want to allow that?" "No that sounds scary and risky! Of course not. We must not allow it."

The option is there, and nobody is going to try to sell not ticking it.