Good catch. Yes, side-loading directly from the developer website isn’t going to trigger marketplace obligations. Those obligations still exist but are the responsibility of the developer directly.

Under the CRA, smartphones are considered to be much more critical from a security standpoint and, by the end of 2027, will have to follow an enhanced set of “best practices” to be able to enjoy a presumption of conformity. The best practices are due to be published by December of this year. I think Google already knows that developer attestations will be on that list and want to appear proactive instead of reactive.

The point still stands - the DMA does not exist in a vacuum. Other EU laws affect how you interpret it, and you should assume that the EU will pass more laws in the future that also affect how you interpret it.