I can't tell if you're trying to say unrooted phones with stock carrier roms are somehow understood to be secure, or if rooting is mutually incompatible with security, or something else. Want to expound?
Rooting your phone means you obtain root access to the device, bypassing carrier restrictions. It does not mean you run it as root user day to day. That would indeed be insecure.
Rooting is not incompatible with security. Trusting carrier distributed software on a locked down device is far less secure than using a custom install of something like Calyx or GrapheneOS.
In my view, trusting Google, Apple, Verizon, t-mobile, or at&t is incompatible with security.
The idea that people having administrative access to their own devices is inherently insecure is vicious anti-consumer nonsense.
What's your threat model? Is it more secure that you as a user can execute root code? Or that your phone manufacturer can without asking for your permission?
Modern smartphones are basically spyware distros. I would argue it's far more secure to run a decent distro (Lineage/Replicant) with root, than it is to run any SamWeiMi crapware without root. Oh yes, the manufacturer's crapware has system privileges whether you ask for it or not, and so does Google Play Services, Google's universal backdoor for Android.
On paper, no root is better. In practice, even on a crap distro, rooting it will enable you to remove most crapware to reduce attack surface.
Also related: if you're concerned about security, you should probably only use applications from F-Droid.org repos. Google Play Store (and others) are just full of spyware! See also the Exodus Privacy project tracking trackers via static analysis of APKs.
Even with a custom ROM that includes no google anything whatsoever, you still should not have root... that's what I mean. Just like how you should always use Secure Boot (but LineageOS requires you leave it off).