Actually disagree with this example, even usb debugging is enabled, you still need to trust the device first to access, so there is still one more security layer to go through.

developer mode usually not the issue but the usb debugging/wireless debugging, but some developers just simply choose to checking for developer mode instead of specific feature block.
I would say it's for prevention and to cater for "don't know what they are doing" person and this affect legit users. Banks probably use owasp-mastg as guideline.
- to reduce attack vector (to the bank app or the user).
- harmful / unknown sources app can still trick user to make it as trusted device.
- someone has your unlocked device access and install harmful apps.
- if there is a new exploit to bypass trusted access.
- unknown charging/usb port that try to gain trusted access and some people will just simply click trust it because it disturb what they are doing and don't know what is it.
- unauthorized screen mirroring/remote/key-logging (after gained trusted access).
- and probably more

I think you misunderstanding this, he mean the bank apps check for apps that not installed from Google Play Store, but some chinese phone manufacturer (xiaomi, poco, oppo, etc) come with preloaded apps that are not downloaded from Play Store.

The android developer usually either, many of them are iphone user or using those samsung, etc, company didn't provide variety of testing phone brand to test or any cloud devices service. The developers will need to whitelist those preloaded apps if they are implementing this mechanism.

I think your reply already out of the topic and not relevant, suggest you to reread what he said again.

1. Public bank apps flagged one of his installed apps as red flag (which most likely mean from unknown source or not from Google Play Store)
2. The apps actually pre-installed or downloaded through the OS update from Oppo (can be Oppo Camera/Gallery apps or whatever, I not sure as I not using Oppo), but Public bank app only check for apps that installed/downloaded from Play Store which disqualified these apps.
3. I didn't use public bank so I assume the user blocked from using the public bank app.

Since they didn't block then I guess should be no worry much for now, if they doing this they gonna get backfired as this few brand typically are cheap range phone, there are quite a number of people who use them. Generally will only block usb debugging, as this setting doesn't affect regular user.

Just some correction, the blacklisted domains not necessarily are all malicious (depend on which list are using), some list include blocking analytics tools domain like Google Analytics as well, companies use those for data collection and analysis.
Not sure which functionality you looking at, but one of the example that get functionality break I knew is those universal link/deep linking third party services like adjust, branch, appsflyer, etc which usually came with analytics data collection. Their functionality (especially deferred deep link) will get affected as the universal ink (something like a shorten link) need to process through their server to get proper navigation linking in the apps. Companies use them for the universal link + analytics + push notification campaign + more as solution instead of implement their own from scratch.

I never said Google Analytics are saints . Companies usually use those third party services to save the development cost and time, especially when those marketing/business team demand for something to roll out fast. Build from scratch takes a lot of cost, people and time, when there are many complete, featured-rich and ready solution out there.

What data to be submitted to those third party service server also decided by developer, usually not bodoh to feed sensitive data into it and their security team should also review it.

Of course you can block them, and it is the developer responsibility to at least keep the main functionality to work properly.

Information or data leaked can be also from insider/staff though, but this will depend how they manage their security sop within the company.