The app would be restricted to environments certified by Apple or Google. Then the app can apply features like trusted time to implement client-side rate limiting.
If the app wants to take advantage of mandatory hardware attestation, it has to require Android 13 or later. This would undermine somewhat the promise that the app supports a wide range of devices. Even banks don't currently enforce Android 13+.
The current policy trend in the EU is definitely not based on the principle of each user evaluating their own risk. On the contrary, service providers like financial institutes and identity providers have the responsibility to keep users safe, and more and more regulation will be made. The natural consequence is restricting which platforms are supported.
Bad money drives out good money only if there is a legal tender law such that both have to be accepted for the same nominal value. In this case, good money is hoarded because it cannot be traded for its true value.
It's the security of the ecosystem, where the interests of app vendors are fundamental: content distributors can count on enforcing DRM, and banks are relying on the camera used for KYC actually being a camera and not a virtual device.