As a good rule of thumb, apps are malicious. If they are not, the libraries they include are. If, somehow, even the libraries aren’t malicious, the attackers who compromise the app or its backend are definitely malicious.
We are rapidly approaching that point. Apple is/was/will going to enable on-device scanning for someone's definition of naughty. Not hard to imagine that naughty will soon includes images of Winnie the Pooh, union formation, abortion, minority group X, what have you. Automatic notification of the authorities to follow.
Edit: To be clear, I am obviously opposed to CSAM, but on-device scanning is a privacy violation. Nobody knows what hashes trigger a flag, and they could be updated at anytime without the user being aware.
Running arbitrary and proprietary code without being able to review it first was always a mistake but we crossed that bridge over twenty years ago.
Every OS and chip manufacturer is working towards "secure core" architectures now. Executed code will run inside OS and silicon-level sandboxes. Memory spaces will not only be randomized, but encrypted and authenticated through dedicated secure enclaves. Hardened IOMMU modules will negotiate bus communication. System code is partitioned off and verified through hardware root of trust.
Malware as we have known it will be extinct in a few years.
In a nutshell, because an application won't be able to do anything evil. We're already halfway there on mobile devices. An Android app cannot access system files or files of other apps, period. "Run as admin" doesn't exist. It can't access shared files like camera photos or documents without explicit user permission.
This is mostly accomplished using SELinux, which is an afterthought slapped onto the original OS architecture.
There are exploits that defeat these walls, but it's getting harder. Walls built from the hardware level up will be almost impenetrable and might require finding an error in the chips' microcircuit designs.
These are, quite frankly, easy protections to put up. I know a lot of work is invested into them but it’s pretty clear that apps shouldn’t be able to scribble all over the address space of other processes, or just have access to all system devices. The hard part is when you actually have a legitimate need to do certain things but not every app should be granted this permission. For accessibility reasons some apps should be able to simulate user input. Obviously, giving this permission to every app is not good. Some apps should be able to know where you are. The one that your spouse installed on your phone secretly to track you? Probably not. This is where the challenge is these days.
I have almost no apps installed on my smart phone ... I just go to the mobile website. Way easier, way more I can control. I'm literally missing nothing.
What about apps that aren't malicious? How can they tell the difference between a user who denied the permission to reasonably offer alternatives?