Apple does not care about security.
The sheer amount of effort Apple has gone through under the hood seems to suggest otherwise. They’ve spent a rather mind-boggling level of effort locking down vectors that would enable malware to persist itself at the system level, such as the sealed read-only system volume (something iOS also does). Apple silicon going so far as to require firmware be uploaded to devices at boot time from the sealed system volume rather than stored on separate flash, which helps mitigate against certain types of attacks such as ThunderSpy which depend on being persisted in firmware. Pushing IOKit out to the userland using DriverKit is another aspect of this. XProtect
continues to evolve. It’s impressive how much security they’ve managed to retrofit onto macOS knowing where they started from, much of it learned from iOS security, and enabled by custom silicon. The fact that it’s been transparent enough to end users that we mostly don’t even think about it is equally impressive, in my view.
That said, since Apple’s core security is also based on public key encryption, if certain private keys got leaked it would spell trouble for them as well. Although the use of device-specific keys fused into the secure enclave can help limit the impact of such leaked keys. How much
that is happening is something I don’t know off the top of my head and I would need to go look over the white papers again.
Not allowing sideloading is based on profit for Apple and on the Mac it's quite easy to side load. Just right click on an app and press "Open", this bypasses gatekeeper.
So, there’s the issue of expectations at play here. There’s the expectation for macOS to continue to support apps coming from random sources as it has done. Apple can provide tools to lock it down more and make users intentionally install unsigned apps (notarized apps are the mechanism to bypass the nag alerts), much like Windows does today, but ultimately they are limited to some extent by legacy. It’s a gamble to lock everything down to the point that you push folks to other platforms.
There wasn’t the same expectation for iOS. So they can start from a much stricter standpoint and get away with it more easily. The fact that Google has played much the same game makes it easier as well (hooray for duopoly, I guess?). It limits the harm caused by a leaked key if the system doesn’t recognize the key except when deploying from the official repository as well.