@Gargron the review process at Google can be a PITA, but for a good reason. Permissions to access more than an app really needs can be exploited for harvesting private information on a seemless update that most won't even notice. Side loaded apps downloaded from say APK mirror can have been tampered with using smali edits and you won't know. What Google should do is certified dev signing keys to trace and confirm if an APK is legit or not and coming from the actual dev, regardless of being side loaded.

@denzilferreira @Gargron so why dont we do this on windows or linux then, both oses by default dont even have a permissions system and give applications near full access to the device

@Chickerino @Gargron that's not true, you do need to raise admin rights to install something not digitally signed on Windows, and admin credentials to install on Linux. On Linux you have Flatpaks that do have permissions in place, and the software runs on a sandbox with only access to what you allow. Windows does not do any of that - hence I'm not gonna even recommend it.

@denzilferreira
You can still run (potentially malicious) software without installing it. Lots of portable software out there on windows, AppImages or statically compiled binaries on Linux, etc. And you don't need admin permissions to ransom the user's documents, run a cryptominer, change the user's browser settings, adding itself to the user's startup applications, etc.
@Chickerino @Gargron