I don't really understand why all sideloads are put into same category. Because the APK must be signed, and e.g. you could easily verify Facebook/Microsoft/bigcompany signatures.
Facebook was just caught using loopback networking to completely bypass app sandboxes. If anything, I’d want to block any app that contains a dependency they signed.