The issue is less the app store itself and more the applications in it. Because while I agree that basically everything should run sandboxed unless specifically given permission, the problem is more about sourcing the apps themselves.

Google and Apple are far from perfect but they do a good job of protecting big companies. So if you download “Chase bank app” with 12 million stars from “Chase bank company” (like, their actual account and not just me half assing it) then you can pretty much trust that is legit. Whereas downloading that on a random app store you bought so you can play pubg mobile locally or whatever nonsense people were doing? You can pretty much trust that it is not legit but most people won’t understand that.

In a perfect world? I would love it if people got into a habit of checking hashes (which, is an inherently flawed approach but “works pretty well” if you aren’t already compromised) and so forth. As it stands? There are very good reasons to just tell grandpa to not install random APKs he found on the internet.