A large part of the reason is that mobile operating systems, by default, have a much more granular and locked down permissions system: the OS itself is designed to be impossible to modify without breaking the startup process, and apps have to be given explicit consent from the user in order to access sensitive permissions such as location, reading/writing local storage outside their own scoped storage, etc.

Desktop operating systems such as Windows are a lot less restricive. In earlier versions of Windows, there weren’t many restrictions on what any random program could access or write to. If a program requested administrator priviledge, and the user granted it, the program had largely unrestricted access to everything.

Locking down a desktop OS in a similar fashion to a phone isn’t as practical. For example, users expect for an administrator level user to be able to install hardware drivers as needed.