I don't think it'd that easy to copy the entire CoinBase app and trick the user into using it
They don't need to copy the whole app, though. All they need is a convincing looking log in screen and a back end to send whatever username and password is entered on that screen to the attacker, perhaps followed by a "Servers busy, try again later" warning to not make it immediately obvious that something is wrong. Even something a simple as that is more than capable of stealing log in details. You don't need to copy the whole wallet functions, trading functions, etc. You just need enough to convince people to try to log in.
But if there's a bunch of apps that closely resembles SPVs like Electrum, MyCelium etc, I imagine it could be confusing and difficult for newbies to navigate. If you want err on the side of caution and this becomes a bigger issue, then I think there's an argument to be made for custodial wallets in *certain* situations.
But similarly, there are a bunch of fake Coinbase apps, Binance apps, or apps for other custodial services. There are also a bunch of fake websites for all these services. And fake emails. And fake social media accounts. And so on. People will
always be exposed to potential scams. Better in my opinion to use a wallet like Electrum where you can verify with certainty you are using the real one.