Android is not designed the same way as a desktop operating system. For example, Android is designed to sandbox all applications and never require kernel level access. This means that if one app is malicious, as long as you haven’t granted it extra permissions, it’s much more difficult for it to affect any other apps. If you root, you’re breaking that level of defense. Android simply wasn’t designed for users to need or regularly use root, whereas Linux was built from the ground up with that expectation.

Root also makes applying security patches a challenge. Android doesn’t have a standard package manager like desktop Linux. This means that users with rooted phones are less inclined to go through the pain of updating. I haven’t rooted in a long while, but I can confirm that when I did root, I tended to avoid it for far too long. Anyway, the way Android’s incremental OTA updates work is by comparing partition hashes. When rooted, this hash gets changed and you can no longer install OTA updates.

Further, root on Android can (and as far as I recall, does) affect verified boot, meaning if you want verified boot, every time you reboot you lose root. Android verified boot detects changes to system partition and either doesn’t boot or reverts the changes. If you turn off verified boot, you cannot know if your system has been modified in a malicious way.

Put a slightly different way, Android’s security model is entirely different than the security model of something like Linux. Linux expects you to need sudo/root for certain tasks, and other protections are built around that. Android does not expect you to ever need root, so it’s not a consideration in its security design.

By rooting, you’re not just bypassing manufacturer restrictions, you’re bypassing Android’s security design entirely. It’s much more secure to just install a debloated, degoogled OS that can do verified boot.

Now, if mobile Linux ever takes off, then I’m sure it would be more like a desktop distro and less like Android.