Which is corporate-speak for 'trust only Google Play'.
What the checkbox is designed to do is prevent installing random .apk files.
Firefox Marketplace is a known source. It's just not something Google will whitelist.
What the community need to include in their AOSP-derived distros is a UI user-specifying trusted repositories.
If the user then wants to add the marketplace or, say, f-droid then they could mark these as 'trusted'. Which would then still prevent downloading an .apk from a dodgy site.
There appears to be some sort of provision for this in newer versions, as apps can actually be aware of where they came from (necessary to simplify selecting billing providers if you distribute via both Amazon and the Play Store).
But yes, extending that to something deeper is probably needed, but you almost end up needing to alter the signing model of apks slightly. In the case of Amazon distributed builds I believe Amazon re-sign the apk completely, which is a bit of a workaround, whereas Google distribute the apks with the developer signatures. Really what you want is a chain of trust to sources of apps that the user trusts.
Firefox Marketplace is a known source. It's just not something Google will whitelist.
What the community need to include in their AOSP-derived distros is a UI user-specifying trusted repositories.
If the user then wants to add the marketplace or, say, f-droid then they could mark these as 'trusted'. Which would then still prevent downloading an .apk from a dodgy site.