Fair take on the tooling, but I'd push back on the security angle here. Expo's curated SDK actually matters if you're shipping production apps with user data.
Bare RN means you're responsible for vetting every native dependency yourself. That's a significant attack surface. Expo does security reviews on their included modules, which catches things like outdated OpenSSL or permission escalation bugs in libraries most devs would just npm install without thinking.
That said, you're right that you hit abstraction limits fast. I've seen teams get stuck when they need custom native code and suddenly realize they don't understand iOS/Android security models at all.
Real answer: use Expo if your threat model is "user login and data sync." Use bare if you're doing payments, biometrics, or handling sensitive PII. The native code literacy is just a bonus that saves you later.