Replied below but TLDR (and not fixing myself) is that security requirements of the app are such that a compromised APK or rooted device running modified android could gain privileged access to sensitive information by bypassing/deep faking some auth mechanism. This isn't hypothetical: it's attacks observed in the wild that we've been forced to respond to.