The setting to allow unsigned apps could be per appstore tracked by an on-device sqlite database, so a badly-behaving app will be known by its installer.
The secondary device would basically be built on a open platform etc. Once we can't use the phone for sharing the connection, then we are basically stuck using other wireless connections, LoRa for short to medium connections, direct wifi links and offline home cloud environments. It gets a bit grim when you think about it, but there are always options. Now, would you travel with a home made tablet phone in an airport for example? What a about a train station with xray scanners. Cyberpunk always comes to mind as well when thinking of these possible futures.
WRT banking, you'd just use the browser - the whole point is to get away from the whole 'you need to spend $150/month and subscribe to a device and open yourself up to a whole suite of third parties in order to use an "app"'
You could use AI to build convenience scripts and UI tweaks, depending on your use case. Use tampermonkey or other script engine browser tools if you need to recreate a UI feature that a banking app provides.
I can build a much better machine for less than a flagship phone costs me, including video glasses and a few power packs. A wireless video stream to a dumbed down phone that only serves as the interface for swype style keyboard or something like that would also be an option - I think this might be a viable strategy.
I've seen raspberry pi phones and tablets that would absolutely terrify TSA agents, but I'm thinking more along the lines of a modded framework laptop with display hacks, or a boxy little pocket PC with a chonky battery - nothing that would alarm people unnecessarily.
I think I mostly take issue with the idea that the walled garden is necessary, or even preferable. Google at least had the barest shred of "the user has control" left - eliminating sideloading just eliminated any possible reason I would bother with them as a company.