Thanks for the detailed explanation. It makes sense!This is what keeps you from stealing someone's money: https://paymentdepot.com/blog/merchant-account-requirements/
You need a merchant account. To get one, you need to satisfy those requirements. If someone steals it all, then fine, they will be able to get the money for a short while, when people start complaining about charges they don't remember, they will shut down the account, and use any information to report the fraud to authorities, who will have the tools to prove the fraud in court and send you to prison. If you're good enough to get away with this, then you probably have skills to steal way more money and you're wasting your time. If you're not too good you'll go to prison. It's a high-risk low-reward scenario. And yes you can go around with a payment loaded in a reader (no iPhone needed actually), and tap it to people's pants to get contactless cards (not Apple Pay/other phone payments, notably, because you have to start the transaction and authenticate), but this is defeated by RFID-blocking wallets.
So if you're worried still, then know that you have 0 fraud liability. Check your statements and report any suspected fraud within 30 days, and you'll have no liability for fraud. And use RFID-blocking wallets.
I agree thieves can already do it with some reader plugged into the smartphone. But I was wondering if it could become the same story as with Tile: people could stalk someone with a hidden Tile, but it's really when Apple gets into the game that it becomes a nationwide issue, or at least a common one. As you rightly mention, there are strict requirements for activating that option in one's phone. But good hackers could find a way to circumvent these walls, like they do with any technology.
I'm not saying having this technology is not a good idea overall. I was just curious about the possible downsides. Thanks again!