Honestly, it wouldn't surprise me if it just meant distributing package via homebrew means signing the package, much like any other package manager. Yes, you can get something similar with checksums, but it doesn't provide any method of authenticity of the distributor.
Is it friction? Hell yeah. A pain? Yes. Is it purely bad? No. Does it have positives? Some. It's not black and white.
Apple seems to be trying to walk a line with MacOS and keep all of its user bases happy, but it's a hard line to walk.
That said, how can they lock it down? You need macOS open to develop apps for their other devices.
They can’t get rid of homebrew et al, as they’d lose their iOS developers! Don’t you agree?
The fact they explicitly have a “Dev tool” category you can use here says a lot about their approach being open for power users.