With web you have to trust the developer on every visit of the website. With mobile you can pin the trust (with some effort) to a single point in time, big positive difference
I'm not aware of any major mobile platform which works like that though, maybe in theory it could be done but in practice it's all powers to the manufacturer which can modify or remove your apps at any time silently.
Unless maybe you are on some things like GrapheneOS and only install apps though fdroid, that's not really a mainstream configuration though.
They have system access and can push anything on your device. In the past you could have an actual developer signature on the play store but Google got rid of it, on iOS there's never been any support at all of this kind of security.
Fdroid supports that but you need a modified rom so that the play store cannot interfere with it in any way. To my knowledge, only GrapheneOS does that.
Your explanation confuses the store with the device .Yes, at the time of download from the store you trust two parties, but that's still only "a single point in time"
No it's anytime you use your device. The stores can push silent updates and change your apps or access anything at any point.
The only exception I'm aware of is GrapheneOS where that's not possible. Otherwise if you are using iOS or any other Android rom than GrapheneOS, you are vulnerable to that.
