Application re-signing threat protection is considered best security practice and is translated by the industry as following MASVS/MSTG requirements:
MSTG-RESILIENCE-1 The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.
MSTG-RESILIENCE-3 The app detects, and responds to, tampering with executable files and critical data within its own sandbox.
MSTG-RESILIENCE-10 The app implements a 'device binding' functionality using a device fingerprint derived from multiple properties unique to the device.
In the wild, the implementations can vary and be client-based and/or remote app and device attestations and are quite common for enterprise applications (especially in absence of MDM). See for example Slack 21.09.20.0 client-based device root check:
The proper way of implementing this app/device attestation is the remote one (SafetyNet for Android and similar for iOS) as the client-based check (see above for Slack) can be easily overcome with application tampering and re-signing.
Google Play Protect (GPP) is also part of the infrastructure to ensure the device is not running/installed malicious/re-signed packages. Unfortunately, local scans by GPP do not detect the app being signed by a different certificate from the one in Play Store. However, GPP prevents the upload to the Google Play Store of a re-signed application with the same package name.
Owing to aforesaid subject threat has only a physical attack vector, and the attacker needs to have access to an unlocked device. The CVSS score can be calculated as CVSS:3.0/AV/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (1.7) Low.
The app can be repacked/modified only when the device is Unlocked / Rooted / JailBroken.