If my understanding is correct, it wouldnt protect new installations of the app in your hypothetical, however any attempt to update existing users would fail.

That is correct. An APK is signed with its developer's key. When you first install an app, the system trusts that key. If you later update it (by installing an APK with the same package id on top of the existing one), the key must be exactly the same for the update to succeed. The only way to install an app with the same package ID but a different signature is to uninstall the existing one first. This is done to protect the potentially sensitive data the app stores in its dedicated directory under /data/data/.

What happens if your key is compromised? Is there a way to continue with a new key or does everyone have to reinstall your app?

V3 signatures do support key rotation iirc, but they're only supported by several latest Android releases. Their existence wasn't even officially announced by Google yet. So, yeah, as of right now, everyone would have to reinstall the app.

That seems like a very interesting attack vector. Compromise a key, have a replacement/fake ready. In the ensuing confusion you trick people to install your app.

It sort of does. The new app in your case would be signed by a different key and so wouldn't have access to the existing app's data. It would boil down to a phishing attack - the new app would have to impersonate the UI of the old one and get users to log in again.

Hence my concern with this part of the article:

"While it’s unlikely Google would ever do so, it is possible that it could sign apps on behalf of a developer"

Actually given the trend the company has been on over the past 6 years I'd say it's very likely Google would do this ...