Yes, both are sandboxed. However, Android, being an open-source platform, allows more freedom for users to install apps from various sources, which can increase the risk of malware. On the other hand, iOS has a more closed ecosystem, only allowing apps from the App Store, which undergoes a rigorous review process, reducing the likelihood of malware.
100% malicious apps are installed by the user and he gives them permissions to do anything. Like when downloading a clock and giving it permissions to open files and connect to the internet.
The reason is simple, Android OS has a lot of more users world wide, so most cyber criminals are more interested on malicious apps for Android.
I think also the Apple Store for iOS apps seems more under control or better said the most apps are carefully monitored/audited by Apple...
But if the iOS user does installing a lot of unpopular apps then most likely sooner or later some malware will be delivered in a way the user didn't noticed.
100% malicious apps are installed by the user and he gives them permissions to do anything. Like when downloading a clock and giving it permissions to open files and connect to the internet.
Absolutely, it's interesting seeing what some of the apps ask permissions for, then decide if you really need it and can live without it. Don't solely trust in the app AV installed.
I only buy unlocked phones with vanilla android such as pixels. What I install is minimal, only what I absolutely need. I create alternative emails, as the one for my phone, is only used for my phone, my other ones are used for my accounts ect.
If you want to play with apps, android ect, buy a Chromebook, put a different email addy in other than your phones, or install a emulator in a VM on Windows doing the same with the email.
The phone is the hub to everything you do, keep it minimal and secure. Do all your experimenting and playing on another device.