Here's what I think Google should do: I really like the Work Profile feature. It essentially sandboxes Work from personal and it adds nice little briefcase badges to mark apps that are in the Work Profile.
Another solution might be to to add an optional Uncertified Profile that if turned on allows unregistered apps but sandboxes them and marks them with a "dangerous" badge. That might ensnare these trojans and malicious apps that pose as legit. That might be enough to scare grandma and let people who know what they are doing do what they want.
Although, frankly I'd just prefer google just made a "Secure Profile" to keep bank apps and other high-security apps away from everything else.
> allows unregistered apps but sandboxes them and marks them with a "dangerous" badge
Surely apps are sandboxed on android by default?
To some extent, but permissions are very loose on Android (i.e. broad and difficult to fully think through implications in terms of how apps might interact) and in many cases they are not fine-grained enough. For example, without Work Profile it's difficult to compartmentalize to avoid mixing personal and business files and its difficult to say what apps do behind the scenes (say, PDF or word document viewers try to be "helpful" in ways you don't really want) and other intents.