It's not really Telegram that's installing the APK. It's just trying to open the file with your default APK file handler. Which is the system, and by default doesn't allow arbitrary APK installation.
Think using a browser to download an installer. You download the installer, then open the installer file, it's not the browser that's installing the software it's you opening the installer file.
Telegram shouldn't assume it's a video file because that makes it confusing for the user, but tbh if I want to send a friend an APK and they want to install it shouldn't that be allowed? Software freedom, control over your own device and all?
So the way it works is: an app initiates an Open intent with the apk, the system handles this as an install, then the installer checks to see if the app initiating the intent has the "install unknown applications" permission. The problem is that the user can grant any application that special permission. It shouldn't work like that; an app should have to list that permission as one it accepts, which would avoid scenarios like this without interfering with user freedom (you can download the apk sent on Telegram, then open it in your file browser or something which allows itself to be given app installation permission).
Think using a browser to download an installer. You download the installer, then open the installer file, it's not the browser that's installing the software it's you opening the installer file.
Telegram shouldn't assume it's a video file because that makes it confusing for the user, but tbh if I want to send a friend an APK and they want to install it shouldn't that be allowed? Software freedom, control over your own device and all?