The way it is, it's actually overridable per application with "right click->open"
As I said in my original comment ;).
This whitelisting apparently survives even Sparkle updating.
Sparkle probably never sets the com.apple.quarantine attribute and if the application does not have LSFileQuarantineEnabled set in its Info.plist, its downloaded files are not put in quarantaine. Applications that do not have that extended attribute are never checked.
As I said in my original comment ;).
This whitelisting apparently survives even Sparkle updating.
Sparkle probably never sets the com.apple.quarantine attribute and if the application does not have LSFileQuarantineEnabled set in its Info.plist, its downloaded files are not put in quarantaine. Applications that do not have that extended attribute are never checked.