They will only be able to download apps that were grabbed directly from the Google Play Store (or other official app stores), according to TechCrunch. This is a logical move on the surface -- third-party apps can pose a risk to those who don't know what they're doing, and APP users are generally going to care more about security and privacy than others.
However, APP participants are also likely to be pretty tech-savvy, and it's not that difficult to avoid downloading malware-ridden third-party apps if you know what to look for. As such, this move might be met with some resistance from those who like the APP's other protections -- such as support for physical security keys -- but also want the freedom to use their devices as they please.
In other related news, the APP will now enable Google Play Protect by default for all participants (and it can't be switched off). Google Play Protect offers advanced malware protection for Play Store apps, including those that have already been downloaded onto a user's device.
If you feel the security benefits the APP can bring are worth the trade-offs, or if you want to learn more about the Program as a whole, feel free to visit the official sign-up page right here.