It also prevents legitimate users that might need to rollback due to a bug or feature that affects them badly in a new build from rolling back. Really this should be a completely optional check that is user settable as a rollback can be critical. I have had to rollback twice in recent years due to breaking changes and why is it unreasonable to want to be able to use the last known good build from the manufacturer as I don't want to root m phone or put on custom roms.
I hear ya, but hear me out... I doubt this is the reasoning. The "Why" is: Google isn't stupid... Are they? Assuming they aren't stupid and wanting to be a center point of attention for a massive security breach of "all users of Android Oreo" (or something of that ilk), this hits a brick wall. The logic, their logic, that is. If a new release comes out and several weeks later after most (meaning a lot) of the users have upgraded their devices, an exploit gets found where any device running the OS can be compromised; this leaves all of the users in a state of danger until Google finds a way to release a fix for all vendors running that version. The users can't take the device somewhere and have it downgraded to prevent the exploit from being available until Google releases "their fix".
This is essentially sounding like a Windows 10 mock behavior. "We take control" is good if you're an idiot, but it's also really bad if you're an idiot OR smart and the controller creates a dangerous situation for your finances (to be blunt). Yes, I'm aware you can unlock the bootloader/etc, but that's for the current power users set. The end idiot/smart (but non-power) users succumb to Google's authority. This isn't news. What's new is the inability to have an instructional new-release or friend method of getting around the problem.
The best method for attacks now is to have the malicious code execute and do its bidding. When the device is rebooted for anything, I mean anything, any reason at all, that boot will cause the device to be corrupted/wiped. That's what I'd do if I were a malware producer. That way the choice of the end user is to "leave the device alone and let the malware do its malwaring, or power it off and lose everything if [I] power it back on."
Screw ransomware's encryption stuff. Put a dent in the economy by disabling peoples' mass connectivity methods they're used to. Sure, workarounds will be found (find a phone on a desk and call using it, check your stock shit on some computer at your desk at work or home, post your pictures/videos of every element of your life using a stand-alone camera and desktop computer to your FB/Twitter/etc account, etc etc). It's not that we won't survive, it's that people will lose their way, and when many people lose their way, mass hysteria sets in.
Anyhow, I'm not typing all of this to come up with doomsday scenarios. It's just real - doing something like this locks a person in to using something that can be found to be bad, and have them locked into a bad place until a way out of that bad place is found and pushed on them. That or most everyone needs to learn how to unlock bootloaders, back up data, install an Android custom OS, restore data elements, and be fluid with back and forward software down/upgrades, you know, a power user. Just the ridiculousness of that past sentence makes it clear that it ain't'a'gonna happen.