This is such a common talking point, the "hassle of side-loading app stores and the insecurity of trusting them (for permissions enforcement)," that I wonder if some PR firm out there was hired and this talking point is showing up everywhere so people subconsciously think it's consensus and start parroting it themselves (why I'm now seeing it and responding)! The application security model is at the OS level and not the app store level (which is really just a dressed up branded package manager, and has been done forever in GNU-land).