Fair enough, but “regulatory requirements” can be a symptom as well as a cause. Bad rules are there for the changing.
So if you add up all that, then they’re more likely to allow long term login sessions on an application that they control than on a desktop/web browser that they don’t.
Again, all true. But this is all just probabilistic, as someone else said. A properly secured browser on a locked down machine can be much more secure than an outdated Android stack in the hands of the kind of person who falls victim to scams.
Here, the effect of “assumptions” is to undermine software freedom and privacy. That feels like a problem that needs a better fix.