Or does something like notarization take care of that?
You’re basically trusting Apple that it’s the right dev.
Wouldn’t that be the case if I’m installing from the App Store as well? If it’s the same then I have no problem trusting Apple with this.
Yes
You’re also trusting Apple with the OS as a whole so I’m not convinced impersonating developer certs should be your largest concern if you don’t trust Apple whatsoever.
my thoughts too.
Well, Apple doesn’t verify every app signature, so there could be a time period between an Apple developer certificate being compromised and Apple revoking it.
I’m not sure what the likelihood that a developer leaks their Apple certificate but not their GPG key is though, probably pretty small… depends on their build workflow I suppose.