Attacking the kernel via its command line

FWIW, iOS style third party code signing could be used even with the ability to install third party apps. Android has app code signing but doesn't force everything to have an extra Google signature, but a variant of Android could technically do that, i.e. manual approval for third party apps. It doesn't mean that much on iOS since there are ways to bypass it and the review is very superficial, but it can be done better.

Another issue with code Android is /data/dalvik-cache, since if there's non-preoptimized app code it gets dynamically compiled and used from there. CopperheadOS deals with by preoptimizing all the base system app code / system_server / frameworks and updating it all as part of over-the-air OS updates rather than relying on out-of-band app updates (alongside fully disabling JIT compilation to use full AOT compilation, but that's not related to verified boot). That lets it fully disable execution from /data for the base system without a performance hit (similarly, dynamic code generation / execution in memory and via the file system is disallowed, but that's less tied to verified boot).

There's a lot of trust in the userdata partition for things that are *not* code too, like cached package manager data tracking some properties about installed apps. Introducing verified boot to an existing system is a whole process. For Android, it's useful already, but it's not as powerful as it seems (for now).