I believe it is actually a Scheme dialect, and I would be very surprised if it is not compiled to some internal representation upon load.
> This capabilities-ruleset interpreter is what Apple uses the term "Gatekeeper" to refer to, mostly.
I am fairly sure Gatekeeper is mostly just Quarantine and other bits that prevent the execution of random things you download from the internet.
In the latter, Apple's sandbox rule set (custom profiles) is called SBPL - Sandbox Profile Language - and is described as a "Scheme embedded domain specific language".
It's evaluated by libSandbox, which contains TinyScheme! 
From what I could understand, the Scheme interpreter generates a blob suitable for passing to the kernel.