>If the bootloader is unlocked, it's only permanent until you reflash it.
That's very vendor specific. Of the android phones I've owned none of them exhibited that behavior. You could flash and reflash without re-unlocking. It only gets locked if you issue an explicit lock command.
>Also, there are options between "user has no control" and "totally unsecured bootloader" (ex. user-provided keys)
There are good reasons to have unlockable boot loaders, but this case specifically (ie. data loss from when your phone bootloops) isn't one of them. For one, do you really expect the average user to generate their own keys, reconfigure their bootloaders, and resign their roms? Even if they could pull it off that effort would surely be better spent setting up an actual backup solution, which would protect against other hazards that an unlocked boot loader would not (eg. phone falling into the ocean).
> You could flash and reflash without re-unlocking. It only gets locked if you issue an explicit lock command.
Slight miscommunication; I was intending to address the specific security threat of "attacker has (temporary) physical access and flashes something malicious onto the phone's root filesystem (anything from a complete ROM to a kernel module or background process that autostarts and runs as root every boot)", in which case the user can just re-flash the phone's non-encrypted partitions from known-good images and be on their merry way.
> do you really expect the average user to generate their own keys, reconfigure their bootloaders, and resign their roms
That's very vendor specific. Of the android phones I've owned none of them exhibited that behavior. You could flash and reflash without re-unlocking. It only gets locked if you issue an explicit lock command.
>Also, there are options between "user has no control" and "totally unsecured bootloader" (ex. user-provided keys)
There are good reasons to have unlockable boot loaders, but this case specifically (ie. data loss from when your phone bootloops) isn't one of them. For one, do you really expect the average user to generate their own keys, reconfigure their bootloaders, and resign their roms? Even if they could pull it off that effort would surely be better spent setting up an actual backup solution, which would protect against other hazards that an unlocked boot loader would not (eg. phone falling into the ocean).