So the app developer has to be able to demonstrate they followed some form of best practice with regard to user data.
I think you're downplaying the requirements of this law. You should read it, it's pretty onerous and carries decades in prison with it - even GDPR didn't go that far.
One interesting caveat, however, is that at least as written, I can't find anything imposing penalties for simply not filing the reports this law claims to require after all of the expensive audits etc it wants. It only imposes penalties for lying on the reports. I'm not sure if that was an oversight on the author's part or if that's intentional though. Any final version would likely "fix" that issue.
Again, I believe this is simply false. The provision carrying "decades in prison" applies only to companies making over a billion dollars in revenue, and only in the very limited case where a particular officer of the company knowingly mis-certifies a report to the FTC.
The plain language of the law says that your interpretation is not correct. The criminal provisions apply to companies with over $1 billion in revenue or those those that have 1M or more users. That would expose a much larger range of independent developers to decades in prison.
A closer reading indicates seem to be correct that the criminal provisions only apply to those larger entities. However, ALL of the provisions in pages 26-33, which are significantly burdensome, still apply to All covered entities, which you can hit by just having 1 million user accounts.
I’m having trouble thinking of any other type of work that manages to escape all liability.