What I want is a law requiring support for facilitating owners of programmable computers be able to install their own programs independently. If it's not gate-keeped, there's nothing to do. But if you choose to gatekeep because "security", you've signed up for some work to comply with the law.

If there's something like a Play Store with OS-level integration preventing unsigned applications from installing and running, FINE, that's an arguably useful security feature for regular users who have no interest in writing their own apps or consuming software outside the Play Store.

This doesn't preclude allowing the user (with admin rights) adding signing keys of their choosing.

If I want to trust Lennart Poettering's or Jonathan Blow's binaries to install/run on my computer/phone, let me install their public keys, a one-time addition gated by admin rights.

If you're not enabling me to potentially put bits of my choosing on my computer, its software better be in ROMs getting physically swapped out for "updates".