Having to declare it isn’t a barrier to having it off by default - the default off option is to address the concerns about adversarial device certificates (which IMHO isn’t a real security threat in that anyone with the capacity to install device certificates already has access to the device and therefore the Obsidian vaults anyway, there’s no additional protection). Increased scrutiny on Google Play feels like even more of an excuse when there’s tons of examples of apps that have no trouble offering user certificates (Nextcloud for an example of an app that by nature contains a ton of sensitive data and is developed by a very conscientious team). Google’s paranoia around user certs related to apps automatically installing CA certs either with no user intervention or obfuscated user intervention - those capabilities have been removed from Android though. Google’s real concern with user mode certificates would be if you included a guide in the app explaining how to install a cert with no explanation of the security implications.
4 Likes