http://www.zdnet.com/article/google-android-security-report-2017-we-read-it-so-you-dont-have-to-and-here-are-the-takeaways/
Google Play has given Google more control over security. Like Apple's App Store, one central app distribution point gives Google more security control. Google noted that Android devices that only download apps from Google Play are nine times less likely to get a PHA than devices from other sources. Google Play Protect protects almost two billion devices.
But is the above precisely correct?
While all Android devices benefit from protections built into the platform,
Android devices with Google Play services have an additional layer of
defense to keep them safe. Google protects these devices right out of the
box with Google Play Protect, our built-in device, data, and apps security
scanning technology.
No it is not, Google Play apps are scanned using a cloud anti-virus program.
What else is special about Google Play?
https://www.theguardian.com/technology/2014/jan/23/how-google-controls-androids-open-source
Manufacturers can be refused a licence if they do not meet Google's requirements. Google does not charge for a GMS licence, but any company producing an Android device will need a certificate from an authorised testing facility in order to apply for the licence. That often incurs fees.
One source told the Guardian that the fee varies and is negotiated on a case-by-case basis, with one example costing $40,000 for a batch of at least 30,000 devices. A separate source said that in another deal, a testing facility quoted $75,000 to test 100,000 devices.
And rather recently, Joseph Cox said in tweets within hours of each other that the US government shutdown a phone maker that could only sell secure Blackberries to drug dealers and that a judge signed a warrant for any Google location enabled apps. For some reason, the Tor Project recieves more free PR than any business providing a phone remotely resembling anything that is desired by civil libertarians.
You people don't notice anything. At all. You people never accomplish anything useful you want, ever.
It is extremely trivial for Google to make Android more secure, create an app anti-virus API, require security updates within one month of the issue being discovered for Google Play access, etc.
And the question about whether devices should be rooted or not by the user is pretty simple. An unrooted device is a production environment designed to be secure by hundreds of people, and the occasional bug bounty. A rooted device is a development environment whose security is owed to anyone with physical access to it.