[buildfocus]

...yes.

Unavoidable hard restrictions like this make it dramatically harder to do malware research (thereby reducing security overall) and cause huge & unreasonable problems the moment you see a false positive.

I'm all for user protection, but there is a limit. There's no point aiming for 'impossible' - if the user could be convinced past enough security warnings in the OS, they can equally be convinced to just type their banking passwords into the attacker's phone directly.

I think there's a responsibility on the platform to make possible consequences clear, and make dangerous actions quite difficult, but totally blocking full user control of their own devices is counter productive.