Since the government has full control of the internet, DNS, etc. as well as the ability to fake certificates it would easily be within their means to perform a MITM attack when Android owners connect to the Google Play store. Or, even easier, perform this attack (possibly via a complete takeover) using one of the Chinese app stores that people in China have come to trust. The idea that Android users in Hong Kong are safe if they avoid downloading apps from dodgy sources is a bit naive.
A device that's only capable of running signed apps may be limiting in some ways, but it prevents a lot of mischief that a state actor that possesses total control over the internet might possibly accomplish to get malware onto your phone.