> You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.

The problem with this line of reasoning is that it proves too much, which really gets to the heart of the issue.

If people are willing to be led to the slaughterhouse in a blindfold then it's not just installing third party code which is a problem. You can't allow them to use the official bank app on an approved device to transfer money because a scammer could convince them to do it (and then string them along until the dispute window is closed). You can't allow them to read their own email or SMS or they'll give the scammer the code. If the user is willing to follow malicious instructions then the attacker doesn't need the device to be running malicious code. Those users can't be saved by the thing that purportedly exists only to save them.

Whereas if you can expect them to think for two seconds before doing something, what's wrong with letting them make their own choices about what to install?

Exactly. They might give them their Gmail password, the 2fa code, their credit card number and cvc, etc etc.