What's the threat model here?

If the user must click through a tons of disclaimers (including locked 60-second timeouts with huge WARNING: SCAM ALERT or something) in something buried in settings to get scammed, I think the few edge cases may be worth the tradeoff of being able to install apks.

Remember there is already malware-scanning by default (by Google play), apps need to ask for permissions, they generally can't read other app data or control say banking apps, modify system data (at all), etc..

The threat vectors seem already restricted. I haven't met anyone which has fallen to actual Android malware ever (that I can remember), but I can remember several close family members which were victims of simpler social engineering scams (mostly unsuccessfully) recently.