I think there are a few main contentions:

- The requirement, unless I'm mistaken, would tie a real-world identity of the developer to an app, who may wish to keep that separate from a pseudonym they may normally release things with.

- Unwillingness to give Google PII or just not tie a particular pseudonymous identity to that PII on Google.

- It puts absolute control in Google's hands for whether any app is allowed to run on most devices. There may be concerns about the types of decisions that may arise from this, not merely from recognized malware. Certain governments may ask Google to regulate apps allowed on such devices via this approach.

- Once this globally rolls out in 2027 it will mean the audience for apps from devs who don't agree to this will shrink dramatically. Only those presumably with AOSP based custom ROMs will be able to use those apps which may have a knock-on effect for dev motivation.

I'd argue it's basically the same thing except added in a complication to make it sound less bad. Google still has the final say here on what apps you install and don't install on your phone because verified developer's app still have to follow Google's rules, and if you don't, you will no longer be a verified developer. I reckon soon enough they will tighten the restriction and make it so that you have to install everything through the play store, Google and big corps always love making changes like this in small steps so that the backlash is minimal and they get to test the waters to see if they can get away with it.

De-anonymization is being done for the same reason manifest v3 was - to help their youtube revenue.

Yeah,that's still really bad. I own the device, period.