1. Your link gives directions for enabling a setting on M1/2/3 Macs that does allow running unsigned apps from the internet without prompting. (see the heading labeled "Big Sur and later on Apple M1 ARM64 processors").

2. Even without following those steps, I can run unsigned apps (I just have to click through a gatekeeper warning the first time I run it)

3. Requiring technical users to run two terminal commands and adjusting one setting in system preferences one time to globally allow unsigned apps seems like a reasonable trade-off to prevent non-technical users from running malicious programs... like, if I were setting up a Mac for my grandmother, I would never enable this gatekeeper bypass.

Gatekeeper is one of those things that is loud when it gets in your way, but silent if it isn't working... so having it off by default doesn't really make sense. The only way I can see having it off by default is by adding a screen to the onboarding flow that asks a question like "do you plan to submit an app to the App Store in the 12 months?", and then disabling gatekeeper if the user clicks yes.