Android - Android Smart Lock: Why is there no option to use WiFi?

Some forums state the risk for the WiFi network to be spoofed. I don't understand how the risk is different: an attacker could spoof a Bluetooth device as well.

The risk is different. It's not possible to spoof a paired Bluetooth device. The Bluetooth peripheral and the phone exchange keys as part of the pairing process, so both of them can securely identify the other. When the devices connect, they each challenge the other to prove they have the secret keys. If it didn't work this way, it would be trivial to "man-in-the-middle" attack the connection by pretending to be the peripheral. Then the attacker could eavesdrop your phone calls or music, or whatever it is you're sending over Bluetooth.

Authentication works a bit differently in Wi-Fi. See this question on our sister site Super User for more discussion on that. In open networks, and networks authenticated using WEP, WPA, or WPA2-PSK, the network doesn't authenticate to the phone at all. The phone has to prove that it has the secret key (the network password), but the network doesn't have to prove anything. There are no "trusted Wi-Fi networks" in this sense. Only networks authenticated with WPA2-Enterprise, which use a certificate pair, prove their identity to the phone, by showing a certificate signed by a certificate authority (just like HTTPS websites). Presumably, Google didn't think it was worth adding an option that would only work with the least common type of Wi-Fi network, and the confusion it would cause their users.

Interestingly, Wi-Fi spoofing is already a security issue for the "trusted place" option. The location system uses visible Wi-Fi networks as one input to determine where you are, and as we've seen, that can cause huge inaccuracies. Spoofing this deliberately means looking at the networks that are visible in your "trusted place" and spoofing several at once. Your neighbourhood phone-snatcher won't be able to unlock your phone this way, but government agencies and organised industrial spies probably can: especially if they also use a screened room to block GPS and cellular signals.

What you ask would certainly be possible, but it should be restricted to when a device is connected to a Wi-Fi network using sufficient security, i.e. WPA2 authentication/encryption. Probably it was left out because it would be hard to communicate to a non-technical user why they could use certain Wi-Fi networks for authentication but not others.

In contrast to what @DanHulme wrote in his answer, when using WPA2 authentication with pre-shared keys (WPA2-PSK), both the station and the AP have to prove that they know the passphrase in the four-way handshake. A rogue WPA2-AP cannot give access to a client by just "accepting" the client's password. On the other hand, everyone who knows the PSK could fake an AP (WPA2 Enterprise does have an advantage here over WPA2-PSK).