Comment by frde_me
Well, one answer might be that someone could spin up emulators
Or reverse engineer whatever app you have.
Or reset their phone? (or would you restrict it somehow to one account per physical phone? What happens if it gets sold or given away?)
Having worked in fraud detection a bit, it's _really_ hard to prevent people from making multiple accounts. Short of requiring ID based verification, and even then.
And then you have to still not go overboard and keep the onboarding low friction enough that people will be willing to go through it
Your points are all true. But we must not forget that security is like onion layers. The fact that something can't be made military-grade hack-proof doesn't mean we should leave it wide open for the whole world to abuse.