Average windows user does a websearch for software and very often finds not the first-party website operated by the developer, but instead finds websites like sourceforge, cnet, softpedia, etc. Downloading sketchy freeware from third parties is Windows culture. This culture is encouraged by Microsoft not vetting and packaging free software themselves like Linux distros do.
I don't know where you've gotten the idea that Windows will just run whatever software you provide it without saying anything. Executables must be signed with a trusted CA. You can get this trust by buying a CA and waiting for reputation to build (which means any malware you produce can be tracked back to your business), submitting the software to Microsoft for malware analysis, or waiting a very long time for reputation to build[0].
If your executable doesn't have trust, a scary warning pops up (or Windows blocks the app from running) and tells the user Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk. This seems about as effective as having a bunch of random people vetting packages for a Linux distro.
Sure, if by "scary warning" you mean the click through nags that Windows pops up early and often (sometimes multiple times for a single action) and that have trained generations to ignore software warnings and dialogs in general.
I honestly just installed my first non-throwaway Windows VM in a long while, and I was appalled how the state of the art in Windows "security" is still stuck where it was a decade ago.
Not only that, but for a while, a lot of Windows developers had links to sketchy mirrors right on their own web pages! They've normalized sending users to sites with names like DonkeyMirror.ru to download their official ZIP files.
> Downloading sketchy freeware from third parties is Windows culture
No, it's "computer illiterate" culture. Windows has a few package managers available these days (including a first party one). Developers on windows install things the same way that linux users do, though not usually building the software along the way (though I often have to use cmake with visual studio)
