Yes, it is really dumb that some of these settings are exposed to all apps with no permission gating [0]. But it will likely always be possible to fingerprint based on enabled developer options because there are preferences which can only be enabled via the developer options UI and (arguably) need to be visible to apps.
What might help better is having permissions that you can set separate settings that can be read for different apps (including the possibility to return errors instead of the actual values), even if they can be read by default you can also change them per apps. (This has other benefits as well, including possibility of some settings not working properly due to a bug, you can then work around it.)
Because estimates suggest Americans lose about $119 billion annually to financial scams, which is a not insignificant fraction of our entire military budget, or more than 5% of annual social security expenditures.
Banks do these things to check security boxes, not to prevent scams.
In this case, they don't want users to reverse-engineer their app or look at logs that might inadvertently leak information about how to reverse-engineer their app. It is pointless, I know, but some security consultant has created a checkbox which must be checked at all costs.
What do scams have to do with having developer options enabled?
This isn't a rhetorical question. There's no big red warning on the developer options screen saying it's dangerous. I haven't heard about real-world attacks leveraging developer settings. I suppose granting USB debug to an infected PC is dangerous, but if you're in that situation, you're already pwned.
Android is attempting to discourage good / regular users from sideloading apps, rooting their phone, etc.
Android wants good / regular users to pass things like Play Integrity with the strongest verdicts.
This helps app distributors to separate regular good users from custom clients, API scripting etc that is often used to coordinate scamming, create bots, etc. If an app developer can just toss anyone who doesn't pass Play Integrity checks in the trash, they can increase friction for malicious developers.
Nobody reads disclaimers, and people who get scammed and lose their life savings won't be made whole by being told "you accepted the disclaimer, nothing we can do."
Most of the victims were last in school in the 1960s when all this stuff didn't exist. Also from experience teaching people with dementia or memory issues is kinda challenging as they just forget.
I wonder if you might be relying on a stereotype of victims. Here's some recent data: "The 2024 FTC Consumer Sentinel Network reported that 44% of all 20-somethings claimed losses in 2023". More data here: https://www.synovus.com/personal/resource-center/fraud-preve...
JFC. Why would an app be allowed to know this? Just another datapoint for fingerprinting.