I have no axe to grind with Apple. I'm a happy Apple customer and have been for most of 30 years.
The same code that keeps malware from running on a mac (or iphone) keeps non-app-store apps from running on an iphone, or prompts you to move non-notarized apps to the trash on a mac.
It's not some separate thing: the exact same code path that protects the consumer store revenue and developer notarization service revenue also protects users against malware.
EDIT, for clarity: I am speaking of Apple-developed, Apple-owned platform security code, where root keys are not held by anyone other than Apple, not generic crypto primitives or the concept of code signing in general (where we have a P-as-in-public PKI).
Which is the same code that keeps unsigned bootloaders from running on PCs which is the same code that keeps unsigned packages from being installed on Linux systems which is the same code that keeps unsigned browser extensions from running on Firefox which is the same code that shows the scary warning on Windows.
Lol you have never had to deal with apple's over complicated code signing as a developer.
Adds a lot of wrenches when your just trying to do basic stuff like codesign and push test builds onto a USB connected device from a bash script and it is flaky and undocumented as fuck.
I am honestly jealous of my android counterparts with their far simpler system and first class command line support via adb.
The same code that keeps malware from running on a mac (or iphone) keeps non-app-store apps from running on an iphone, or prompts you to move non-notarized apps to the trash on a mac.
It's not some separate thing: the exact same code path that protects the consumer store revenue and developer notarization service revenue also protects users against malware.
EDIT, for clarity: I am speaking of Apple-developed, Apple-owned platform security code, where root keys are not held by anyone other than Apple, not generic crypto primitives or the concept of code signing in general (where we have a P-as-in-public PKI).