"If someone steals my laptop while I'm logged in, they can read my e-mail, take my money, and impersonate me to my friends... but at least they can't install drivers without my permission" https://xkcd.com/1200/
The point is that your trust envelope extends to the authors of software, which are frequently not acting in the best interests of the user, and have their own goals and incentives (including competing goals with other software authors).
On my Linux systems, particularly under Debian, there's some assurance provided through the Debian Project, its guiding documents (social contract, constitution, policy), and debian developers. The project explicitly serves the users. This doesn't prevent bugs and occasional malice, but tends to tremendously reduce incentives for it.
Smartphones ... are a mess, and Android rather particularly so. I've suggested entirely rethinking how app development is performed, particularly for basic utilities, closer to the Debian model. I have little hope of this occurring.
Although you can leverage multiuser capable systems for more security by, say, using different user accounts for playing games and banking, or whatever.
Yet I was confused, because as a user all I cared about was my stuff that was ... right there in a non root account.
As you say all the stuff I was concerned about was right there, but nobody talked about how important that was.