IIRC (haven't used modern Macs in a while) Gatekeeper has three modes — allow App Store only, allow App Store + signed outside, allow all (unsigned) apps. Didn't they switch to the first one by default??
The most recent OSX version (Sierra) made the change of hiding the option that totally disabled Gatekeeper, but the default hasn't changed. I have a Sierra VM I set up about a month ago, and I just checked the setting and it's at "App Store and identified developers".
