Hackable means I can run any software I want from any source without anyone's permission. My understanding (please correct me if I'm wrong) is that starting with M1 macs, I now need apple's permission to distribute an app whether I use their store or not. Richard Stallman is seeming more and more prescient every year. Users should not be forced to give up control like this.

I think part of why the signed apps system feels onerous to me is that I can't really trust it for the things that matter most.

Even if I'm assuming no exploits, everything working as intended, the permissions don't map well to what I care about.

I don't really care which app has access to the camera, I care about what gets done with the recording (or even metadata/inferences from the images) or about it taking pictures at surprising times. Some fitness tracker needs a lot of data, which is fine as long as they aren't selling it to third parties.

I would love the feature if it was something I could rely on, with audits of the client code, backend infrastructure, transparency in regards to data use, etc. As is installing software is still caveat emptor.

Capabilities are a technical problem with a technical solution. As in: an app can't use the microphone or access the Downloads folder without getting permission from the user, by design.

What you're after is a sociopolitical problem, and would take a sociopolitical solution. It simply can't be implemented in software, and it can't be implemented correctly in all cases, period: even if the app designer is a perfect angel, and only does exactly what they've pledged to with your data, the company could be bought by Evil Corp, or get hacked.

I totally agree with you, but it's worth noting that what you're describing is TCC (permissions for camera, accessing certain folders, etc), which is somewhat orthogonal to code signing. It's also much harder (practically impossible in many cases) to actually disable than Gatekeeper if you don't like it.