As far as I can tell this basically means that all apps must be approved by Apple to follow their “platform policies for security and privacy” even if publishing on a third party app store. They will also disable updating apps from third party app stores if you stay outside the EU for too long (even if you are a citizen of an EU country, with an Apple account set to the EU region).
The idea that preventing app updates is in line with their claims of protecting security is utterly absurd. “Never attibute to malice what can be explained with stupidity,” but Apple isn’t stupid.
As long as the signatures exist purely for security reasons and do not require following any other requirements, like payments or ethical guidelines (i.e. “no porn”, “no emulators”), maybe.
However, Apple seems to use notarization to enforce their rules regarding apps sold on third party stores (charging 50 cents per first install). I can’t really recall notarization stopping any malware in the past. Even their own App Store has hosted malware and fake crypto apps for ages without being taken down.
It’s hard to take Apple’s word for any of this because of how they’re behaving. If they had just complied with EU laws instead of trying to find workarounds and loopholes every step along the way, I could probably trust the concept of notarization. In this case, I don’t trust them at all.
I would prefer a system like Android, but with a better implementation. On Android, every app is signed the same way apps are signed, with a certificate that can belong to a certificate chain. Apps can only be updated if they’re signed by the same developer, but that’s about it in terms of validation these days. I theory, Google could make it so that you can trust specific certificates (say, Google Play’s certificate, or F-Droid’s certificate, or the certificate of a specific developer) or show a security prompt in all other cases. Any developer can generate certificates for free, and apps can theoretically be signed by multiple certificates (though I’m not sure about the practical implementation here). If certificate authorities would set up their signature in the form of store->dev account->dev, stores could retract trust in case of malware automatically.
This approach would add the option to notarize with Apple to avoid annoying security warnings, or for someone else to set up an alternative notarization service. Unfortunately, Google abandoned all practical decentralisation of their certificate system and I don’t think Apple’s notarization will ever be independent of Apple’s servers. Apple does have certificates (“profiles”) but they’re a “0 trust or maximum trust” kind of deal that also affects other security systems, like browser traffic.