Malware can do tons of damage even with only regular user access, e.g. ransomware. That’s a different problem from preventing legitimate software from causing damage accidentally.
To completely neuter malware you need sandboxing, but this tends to annoy users because it prevents too much legitimate software. You can set up Mac OS to only run sandboxed software, but nobody does because it’s a terrible experience. Better to buy an iPad.
> but nobody does because it’s a terrible experience
To be fair, all apps from the App Store are sandboxed, including on macOS. Some apps that want/need extra stuff are not sandboxed, but still use Gatekeeper and play nice with SIP and such.
FWIW, according to Activity Monitor, somewhere around 2/3 to 3/4 of the processes currently running on my Mac are sandboxed.
Terrible dev experience or not, it's pretty widely used.
To completely neuter malware you need sandboxing, but this tends to annoy users because it prevents too much legitimate software. You can set up Mac OS to only run sandboxed software, but nobody does because it’s a terrible experience. Better to buy an iPad.