The fact that Apple allows an application to be installed in this step is an issue with Apple's design.

It’s a script, though; should they sandbox the preinstall phase? That would break most packages.

Instead of silently breaking they could have a popup like "Do you allow the preinstall script to write into /this/folder?" on a write operation outside of the sandbox.

99% of users will have no fucking idea what that means. They will either click 'Allow' (which makes this feature useless for 99% of people) or contact tech support (adds friction to installation, which is bad especially for conferencing software) or just give up and not use the product (which is bad for the company).

To be fair, it would at least ruin Zoom's incentive to do any of this, since they wanted a streamlined process that prompts the user less.

Why they didn't just use a dmg that has you drag the application into /Applications/ is something I still don't understand though. Surely that is the simplest most user friendly way to have non-technical users install applications without using the appstore.

Maybe so, but that doesn't excuse those exploiting that flaw.

To be fair, Apple has rectified this flaw by writing the Mac App Store, where applications can't pull these shenanigans and are properly sandboxed from one another.

Why is the store relevant to sandboxing?

They only allow sandboxed apps to be placed on the store.