They could allow side loaded apps with the same notarization requirements as Mac apps. This could prevent the proliferation of outright malware. Even side loaded apps are still subject to the iOS app sandbox. The permissions APIs could still be enforced too. Done correctly, this could be like current side loading but without the need for a developer certificate to make apps last more than 7 days.