They really think that malware developers will say “oh no! I need to submit a picture of an id card to sign my malware! It’s literally impossible to submit a jpg of a stolen id card, I’m ruined and out of a job!”

Which is irrelevant. They can block any malware - now impossible to do with sideloading of apps during pop-ups.