The "solution" to this is to pay Apple an $100 / year extortion fee (per developer), and also a bit of a convoluted setup to "sign" every single package you make (even automated ones in CI)

If Apple doesn't like you they can just stop accepting your builds. 🤷

ad-hoc builds don't work here, as signed apps are not allowed to load plugins (and libraries) that have been ad-hoc signed.

With this I might just drop macOS support from my projects.