I don't see much difference between the current desktop situation and that with mobile except that the likelihood that users will install ill-behaving apps on mobile is higher. When I use my distro's package manager to install the Chromium browser, I get a warning that the program's source is untrusted. Is there a qualitative risk difference between the Chromium installation and downloading some random game from an online marketplace that I'm missing? Isn't the only sensible approach on mobile to install only signed packages from trusted sources, as on the desktop?
The two solutions I employ on the desktop are to keep the most sensitive data encrypted and to use virtualization (qemu-kvm) to encapsulate some operations (either the most sensitive or the most risky). The second approach is a variant of the Android sandboxing. I don't see what alternative security-naive users can sensibly pursue.