If this can happen, is it possible that once mandatory developer verification comes into effect, all 3rd party apps will be uninstalled at first and require a re-install?
Concerning this specific case, NFCGate is a tool on which malware (family) titled NGate by ESET is based, thus likely causing a false positive.
Oh, and no bypass is available anymore (aside from disabling play protect):
On one of my phones I do this plus delete/disable everything from google, except play services and play services framework (with everything disabled in there, only cloud messaging enabled). For apps on the play store I just download from aurora store.
The only thing I needed the play store for was to register 2FA for the government app on that phone. On the rest, it didn’t make a difference.
On another phone I use microg and it works fine too. I think attestation (safetynet) and disabled root and dev tools will make everything work fine, I put my hosts file using adb in recovery mode and no application has noticed. No banking app, nothing noticed.
I didn’t know that Android would block installs from “unauthorized sources” using play protect, I thought it would be hardcoded into play services or even on the android images.
Edit: for such a “secure” implementation, etc, it seems very weak, ngl
That is because it is security theater.