It’s only how App Store apps work.

There is nothing stopping a popular video conferencing app that you install from the web from surreptitiously installing a web server on your computer leading to a security vulnerability.

https://michael.team/zoom/

It’s not. They changed a lot of stuff in Sequoia. I know this because it broke something I rely on and I had to go fix it. It can’t even open a file without the correct entitlements and code signing done and permission granted by the end user.