Looking at AOSP, the logic that allows something like Play Protect to work is at [1]. It looks for system apps that can handle the ACTION_PACKAGE_NEEDS_VERIFICATION intent, which is the Play Store app in this case. Looking at the Play Store's AndroidManifest.xml, the PackageVerificationReceiver component is what listens for that intent.

With root access, it should be possible to disable just that component without breaking other functionality by running:

    pm disable com.android.vending/com.google.android.finsky.verifier.impl.PackageVerificationReceiver

To reenable:

    pm default-state com.android.vending/com.google.android.finsky.verifier.impl.PackageVerificationReceiver

Without root access, disabling the Play Store completely (if you don't need it) via the normal Android settings should also do the trick.

[1] https://android.googlesource.com/platform/frameworks/base/+/...

Those messages are very annoying. Play Protect periodically tries to get you to turn it back on, once every few weeks or so. I really wish there was a way to turn that annoying nag off.

Glad I have it off though: KDEConnect is great, I use it all the time to transfer files and send text messages from my computer.

I agree but millions of users are ok with Tim Cook deciding what they may use on their own phone. We're so screwed.