This doesn't really address your concern, but I feel obligated to share the Gatekeeper bypasses I know about:

Homebrew has an option which bypasses Gatekeeper when installing apps:

  brew install --cask app --no-quarantine

And apparently you can have this on by default:

  export HOMEBREW_CASK_OPTS="--no-quarantine"

And I have this alias for everything else:

  alias unq="xattr -dr com.apple.quarantine"