Google has a pretty good legal team. Their developer ToS that absolves them of any sort of liability for anything. So this means VW is just being lazy and not seeking legal protection.
It will look better for the project lead if there's an issue though. You can say that you enabled everything recommended by Google or w/e, following best practices, and still got pwned instead of arguing that your own security model had a tiny little flaw that no one recognized. And it frees up project hours which can either be the difference between doing the project or not doing it and/or allow you to have other project work billed to this project.
That's definitely a thing in the corporate world. It doesn't even have to be the project lead, sometimes it comes via stakeholders, some times its even well meaning devs. It is a difficult balance to strike if you want to "only be reasonably safe" whereas cargo culting all security features might take a bit of time but you now can say "hey we did everything"
[]: everything may very well not be a thing but people like to pretend it is
They don't care about legal recourse. If there's something wrong, they'll just change the laws. That's why they don't care about GrapheneOS users, or any EU regulation which could harm them.
https://play.google/developer-distribution-agreement.html