It is the latter. The app has to be signed, and the signer has to register "real" identity with Google. Approval of the app itself is not a part of the process.
Yes, sideloading will still be viable from known developers.
Probably malware developers will still be free from prosecution -- what moron is going to distribute malware with their own identity attached to it? But it means when the malware gets caught (which it does) you can't just roll a new APK with a different signature. You've burned a developer identity and need a new one. Those are harder to come by, and so it rate-limits malware distribution.
Fwiw I've been getting random email offers over the years to buy my old dev account for like $100-300. Dev accounts are going to become a prized commodity on the black market with this move.
(I didn't sell my acct, for the record.)