android:debuggable="true" ships a debuggable build, letting an attacker attach a debugger and read memory.
With android:debuggable="true", anyone with physical or ADB access attaches a debugger to the production app: dump memory, call internal methods, and lift tokens from the heap. run-as also opens the app's private data dir.
Device-level attackers and malware-assisted users can read secrets and drive the app; Play flags it too.