That’s a reasonable take. The never part seems strong though.

If I may offer a slight consideration? “arbitrary code vs arbitrary signed code”.

What’s realistically stopping Apple from requiring all code and processes be signed? Including on device dev code with a trust chain going back to Apple and TPU / Secure Enclave enforcement