The problem here is social engineering. If someone says "click these buttons in your phone's settings, sideload our app, and you'll be able to do X" (where X is "pirate movies," "mine bitcoin," etc), a surprising number of people would follow the instructions, ignore any big red warnings, and end up with their device pwned. You'd need a way to make the certificate trust settings accessible only to those who know what they're doing.
