>but not having root as the default makes it less of a secure FOSS OS and more of a closed down toy.

I don't get it, it's "less of a secure FOSS OS" to not have root by default, but it's secure to run random apps as root and breaking android's security model? What's the threat model here?