chmod to dequarantine doesn't sound like "a little friction" to me.
On your point about security, this kind of aggressivity from the platform owner tend to backfire.
The user was already convinced to open that mail, download that file, and try to run it. Pushing the process to the terminal just means your clueless users now run the provided incantations in the shell instead, and the attack vector now becomes huge (the initial program doesn't even need to be malware)
I agree having to go to the command line is too much friction. Just clicking `overdue-invoice.doc.pif` is too little. About right is somewhere between a prompt and setting the file executable in the GUI.
I wish it would run in a stricter sandboxed mode and prompt the user on the first network requests and file writes outside of it's directory.
That wouldn't be perfect, but at least the user could be prompted for a concrete action instead of a vague "this script is scary" warning.