FDroid has 0.2% of app volume of Play Store.

Don't mistake obscurity for security. FDroid isn't the size to even be noticed by problems that Play Store and AppStore are dealing with.

F-Droid at least does a quick review to make sure there's nothing malicious in the app before adding it. Since we know Google does something similar and there is still malware on the Play Store one might reasonably conclude that Google doesn't actually care about malware.

Now, it might be a problem of vetting at scale or malware being really subtle, but if that's the case Google should focus on improving their process before locking down Android for "security".

This is exactly why I gave the example of Debian repos.

Which again work on a model of a single entity having all the curation power.

My point is that Google does not want to protect users by restricting "side loading". If they actually wanted that, they would remove all the malware in their store. They are just building higher walls in the walled garden to lock you in.

Right, but the Debian Developers don't prevent you from installing (installing, not "sideloading") other programs. If you want to install malware you're free to, but they don't distribute it.