when a user owns a phone they can install whatever they like.
a company cant stop them.
but their actions can, and did, affect the company IT system.
If that is such a risk vector for you than hand out company phones and manage them. My workplace does.
We have both iOS and Android devices deployed and users cannot install anything on either. Neither App Store nor Play Store are accessible and any potential side loading is disabled as well.
It appear to me you could have prevented the user from using a device you cannot manage and could have taken steps to prevent users from accessing the secure WiFi, but didn't choose the first to save money and didn't do the second probably for the same reasons, and yet we somehow need to prevent people from installing stuff on their own private devices because of that.