alt Hacker NewsThe problem with the toxic max-security[0] arguments is that it is always possible to invent a more gullible fool. There is no security measure that will perfectly protect a user from getting scammed out of everything, save for scamming them first and then treating their property as your own. That's the Apple argument. The only way you can keep people secure without falling into the same rhetorical trap Apple employs is with bright red lines that you swear not to cross, no matter how many people wind up getting scammed, because at the end of the day, people are adults, and their property is theirs.
Furthermore, we have to acknowledge that scam-fighting is not Google's job. They can assist with law enforcement (assuming they do not violate the rights of their customers while doing so) but they should not be making themselves judge, jury, and executioner in the process.
If you want a more concrete technical recommendation, locking down device management profiles would be a far more effective and less onerous countermeasure than putting a 24-hour waiting period on unknown app installs. Device management exists almost exclusively for the sake of businesses locking down property they're loaning out to employees, but a large subset of scams abuse this functionality. Part of the problem is that installing a device profile is designed to sound non-distressing, because it's "routine", even though you're literally installing spyware. Ideally, for a certain subset of strong management profile capabilities, the phone should wipe itself (and warn you that it's going to wipe itself) if you attempt to install that profile.