It doesn't matter where the users are getting the software when the threat model implicitly trusts the OS vendor and makes it difficult for users to install the OS themselves.
Android phones ship with malware installed as root often with no methods for removing it.
"damage the way the computer works" IMO that includes abusing or denying resources or services on the machine which is very common with preloaded stuff.
Congrats on reverting home computing back to the amiga days then.
I have walked into target, bought androids, pulled them out of the box and connected them to the network over which they would immediately proceed to download gigabytes of malware from the play store.
If you only bother with what software people care about why allow installing code outside of the browser? That would much more effectively eliminate security vulnerabilities.
Ok, well now I can't do most of the stuff I was doing on GNU/Linux without doing it on a machine that someone else is hosting. So that's still a step backward.
It's relevant because when I go to use git on android and iOS I go hunting through the play store and download some closed source wrapper around it, often with libraries that the developer pulled in that they don't fully understand the behavior of.
By dramatically raising the cost of software maintenance (by decreasing interoperability and because of the heavy API churn) these systems make community maintained software rare which forces users to turn to organizations that are unwilling (and sometimes unable) to share information with their users.
I'm certain stuff slips through occasionally, there's the random number generator "bug" that made it into debian a decade or so ago. The rate is fantastically lower than pretty much anything else though.
When you need software that isn't well supported by your OS you're always going to have to apply some degree of care and research. Thinking that any degree of sandboxing or API re-arranging will ever make flinging binaries around safe is extremely naive and counter productive.
