OK, quick lesson in how Gatekeeper works:
When you download a Mac app from the web, or save it from an email, a bit of metadata called the "quarantine attribute" is attached to it. When you try to run an app with the QA, Gatekeeper checks whether it's allowed to run; by default this will be allowed if it's signed. If it doesn't pass GK, you can still run it anyway by right-clicking on it and choosing "Open". When the app runs, regardless of whether GK passed it or you overrode GK, the QA is removed. After that GK no longer cares about it, and the app will just run normally without further fuss.
Safari and Apple Mail automatically add the QA to anything they download, and most 3rd party browsers and email clients now do the same. But if you download an app using most command line tools (curl, wget, ftp, scp, etc), or if you build it yourself from source, then the QA never gets attached to it in the first place, so GK doesn't care about it and the app just runs normally.
As far as I can tell the new notarization system doesn't change any of this, it just adds another form of code signing.