> does stop malware.

unrelated to phones a lot of (more professional) malware has moved to not persist itself in root space (or at all) as to not leaf traces (instead it will just rely on being able to regain root access as needed every time you reboot with all the juicy parts being in memory only (as in how often do you even roboot your phone))

I think (but am not fully sure) this also applies to phone malware.

I.e. no it doesn't work.

Not unless you

- ban usage of all old phone (which don't get security updates)

- ban usage of all cheap phones/phones with non reliable vendors

- have CHERY like protections in all phones and in general somehow magically have no reliable root privilege escalations anymore

Oh and advanced toolkits sometimes skip the root level persistence and directly go into firmware parts of all kinds.

Furthermore proper 2FA is what is supposed to make online banking secure, not make pretend 2FA where both factors are on the same device (your phone).

And even without proper 2FA, it is fully sufficient to e.g. classify rooted phones as higher risk and limit how much money can be transmitted/handled with it (the limit should ignoring ongoing long term automated repeated transactions, like rent).

There really is no reason to ban it.