Should the default android be locked, with no root, play store verifying apps, etc, absolutely. This is great for the average user that desires nothing more than just running play store apps.
Should you have the ability to run what you want on your phone, and copy the data from the app that you installed, after accepting the risks? absolutely.
It is already non trivial to install root, and adb locked root for example makes things vastly more secure even in that case(that is, you can only adb su into your phone, you can't grant the permission to an app directly). Especially with locked adb having fingerprint verification.
On grapheneos you can get basic. You can't get device, which is now needed by a lot of applications. See another example at: https://discuss.grapheneos.org/d/18118-play-integrity-meets-...
Play integrity by locking everything to the Google/Main vendors is making it less and less possible to run non-primary images/oses. And it's not for users security, it's for apps security, so this is purely to reassure the industry, and yet it is just another security theater. Running with strong integrity on a rooted device is possible with semi-significant effort, and that's good. It means that we're not relying on security by obscurity, and we can look at what's running on the phones.
