The device clears user storage before allowing you to flash a new OS, so that isn't an effective way to compromise a user's data. Application installation requires unlocking the device, so the ability to sideload doesn't give an attacker any meaningful ability over installing from an unscanned app store like Apple's.