I recall reading something recently about how in a coming release, Android will disable sideloading. The sole permitted way to sideload will be to enable ADB and then install the app with adb install. Some techies will continue to do that, just like some people unlock the bootloader and install LineageOS on their device, but removing Signal from the Play Store would make it as good as dead for the general public. (Even Signal’s website discourages people from downloading the APK from them, and prefers that people use an app store instead!)
There is a concern with getting ordinary non technical users accustomed to the concept of sideloading apps... It might be totally safe to download the official Signal APK and sideload it. But people will then think that's a suitable and acceptable way to install other things, and will then be more likely to be easily social engineered or phished into loading other malicious APKs.
The ordinary non technical user has no idea of how to manually verify the sha256 checksum of a APK they've downloaded from the "official" software developer of an app.
"Given that these features are already functional once enabled, it may not be long before the sideload protections arrive for those who enrolled in the Advanced Protection Program."
Perhaps developers will one day be required to provide proof of ID to Apple or Google before being allowed to carry out the "dangerous" activity of installing unapproved software.
Some googling leads to this [1]. From what I read it seems to be an opt-in program (for now). Was initially very concerned when I read your post, especially because Google recently broke Magisk (likely forever).
Basically Google has actually implemented remote attestation properly (using hardware) so Magisk can't hide unlocked bootloaders anymore unless someone finds a crypto flaw. It's slowly being rolled out to Play Services but I believe cts still passes for now.
