What should Google do when a change they are making to protect regular less-technical users breaks functionality needed by more advanced users?
If the user must click through a tons of disclaimers (including locked 60-second timeouts with huge WARNING: SCAM ALERT or something) in something buried in settings to get scammed, I think the few edge cases may be worth the tradeoff of being able to install apks.
Remember there is already malware-scanning by default (by Google play), apps need to ask for permissions, they generally can't read other app data or control say banking apps, modify system data (at all), etc..
The threat vectors seem already restricted. I haven't met anyone which has fallen to actual Android malware ever (that I can remember), but I can remember several close family members which were victims of simpler social engineering scams (mostly unsuccessfully) recently.
Furthermore, we have to acknowledge that scam-fighting is not Google's job. They can assist with law enforcement (assuming they do not violate the rights of their customers while doing so) but they should not be making themselves judge, jury, and executioner in the process.
If you want a more concrete technical recommendation, locking down device management profiles would be a far more effective and less onerous countermeasure than putting a 24-hour waiting period on unknown app installs. Device management exists almost exclusively for the sake of businesses locking down property they're loaning out to employees, but a large subset of scams abuse this functionality. Part of the problem is that installing a device profile is designed to sound non-distressing, because it's "routine", even though you're literally installing spyware. Ideally, for a certain subset of strong management profile capabilities, the phone should wipe itself (and warn you that it's going to wipe itself) if you attempt to install that profile.
Have people read and type in a message saying "I'm not on the phone with a potential scammer who is trying to get me to install a package that may be dangerous", trust people to actually read what they're typing, and if they can't read and comprehend that, stop getting in the way of them shooting themselves in the foot.
Put it behind an USB ADB only toggle and be more transparent to avoid slippery slope?
I don't think OS vendors should be expected to keep people from doing dangerous things. A warning label saying "hey that's dangerous because..." is reasonable, but anything more and they're trying to be my sysadmin against my will.
These are sold as consumer devices and not general computers. It sounds like you want something different. They’re selling cars and you want a motorcycle.
More sysadmin-as-a-service type stuff is fine as long as the opt-out is easy. This isn't. I'm upset about the rug pull.
You never know though. Sometimes things go the other way. When the iPhone launched there was no way to create apps for it or install third party applications except as web apps.
The real problem is that prior to verification, Google can't ban ICE tracking apps (or whatever the next problematic government doesn't like) from Android, and after verification they will be able to for most users.
They say they won't do that. I might even believe the people currently running things won't do that, but they will be incentivized to do that in the future, and incentives are much better at predicting outcomes than intent.
If you are a fan of open source, maybe this will be a good thing. Maybe this will drive more people and money to open source projects directed at making a better mobile OS.