Having a rooted device doesn't mean any old app can just auto install and steal all your data/bitcoins... first of all it has to get on your device, then you have to run it... then you have to grant it root permissions...
HCP this is incorrect. If your device fails the boot verification check (any rooted device should fail this check), then your funds are vulnerable to any malware that modifies the OS. Without boot verification you don't have any way to detect if the OS gets modified.