If they follow the Mac model of non-notarized app packages being installable with a warning (which can he disabled system-wide with a hidden setting) then that's basically equivalent to the Android model, which requires jumping through extra hoops to enable third-party app installs as well.
People will be tricked into jumping through all of those hoops to install malware on their phones, but people are already tricked into harming themselves via their phones all the time on iOS and Android alike. People are ticked into using their (legit) bank apps to send money to fraudsters, into downloading (from the App Store) NFT scam apps, into downloading (from the App Store) scammy and predatory apps disguised as free colorful puzzle games. What does this proposed malware do? Surreptitiously record location data? Trick the user into parting from their money? Pop up unexpected ads and redirects? Apple's blessed apps already do all of that. What bad behavior is possible in from within an app sandbox that isn't common practice on the App Store? The only thing that comes to mind is location recording and sending of that information to the attacker, ie a spying GPS app installed by an abuser. The platform-level way to fix that would be to allow users to provide apps spoofed locations without informing the app that the location isn't real, which Apple won't do because... it would harm Netflix and Niantic's business model, I guess?
People will be tricked into jumping through all of those hoops to install malware on their phones, but people are already tricked into harming themselves via their phones all the time on iOS and Android alike. People are ticked into using their (legit) bank apps to send money to fraudsters, into downloading (from the App Store) NFT scam apps, into downloading (from the App Store) scammy and predatory apps disguised as free colorful puzzle games. What does this proposed malware do? Surreptitiously record location data? Trick the user into parting from their money? Pop up unexpected ads and redirects? Apple's blessed apps already do all of that. What bad behavior is possible in from within an app sandbox that isn't common practice on the App Store? The only thing that comes to mind is location recording and sending of that information to the attacker, ie a spying GPS app installed by an abuser. The platform-level way to fix that would be to allow users to provide apps spoofed locations without informing the app that the location isn't real, which Apple won't do because... it would harm Netflix and Niantic's business model, I guess?