But there's something to be said of getting a phone that specifically can't do certain things, whether that be for privacy (Facebook says: download the FB App Store to get Instagram!), security (evil maid attacks), or giving it to my great grandparent who just needs to use some social media apps and the phone app.
No, this doesn't enable evil maid attacks. If your evil maid has the means to unlock your phone in order to enable sideloading, then it's already game over, because with that same access they can get your passwords and your 2FA second factor. Please stop trying to suggest that evil maid attacks are a concern here.
One time opportunistic and potentially brief access to the phone is different to installing spyware (during that brief access) which reports all activity forever more or allows Mitm on your data.
An APK is an APK. It's beholden to the same mandatory permissions system and has no extra abilities whether sideloaded or from the Play store. Sideloading != rooting
Since about iOS 6, iOS exploits have started with a sandbox escape exploit, since the attack surface is so large with native code running on the device (only one since then, the Checkm8 exploit, used a USB exploit instead). Getting native code on a user's device for "free fortnite vbucks" is step one to silently jailbreaking phones and running adware/malware/spyware.
