To me, all this looks like people knowing that signing is somehow good and demanding it in a context where it isn't clear that it makes sense. And given that the top post in this thread is about skeevy domains, how the heck would signing scripts achieve anything? Even the reposted tweet says "don't think you could weaponize".
The threat model is a malicious entity has limited access and can swap out the intended script for a malicious one, and have it run in a root context.
This is equivalent to not having signatures on your repository packages and saying "no biggie, we rely on transport encryption". Might work in most cases, but there's a reason good security uses layers. A failure at any point-- TLS downgrade attack, repo compromise, proxy compromise, DNS poisoning-- can result in your preflight script executing malicious code.
Requiring code signing with a pinned cert would solve this issue, but would be terribly out of character for the company that brought us a hidden local REST API to bypass OSX security prompts.
What is the threat model?
To me, all this looks like people knowing that signing is somehow good and demanding it in a context where it isn't clear that it makes sense. And given that the top post in this thread is about skeevy domains, how the heck would signing scripts achieve anything? Even the reposted tweet says "don't think you could weaponize".