@WedgeTail,
I would not read too much into that, the same panic/situation occurred when Apple insisted that all kexts must be signed (trusted) some years ago.
We circumvent that by using the CSRActiveConfig parameter in our config.plist.
The mask value of 1 allows "Untrusted Kexts" to be loaded.
If and when Apple implement further kext certification, it will just be a case of using another CSRActiveConfig bit mask value to circumvent it. This feature is baked into MacOS so that developers can test kexts and Apps without having to submit every alpha and beta version of a kext/App to Apple before they can start testing it.
We use the same mechanism so that we can load 3rd Party kexts required to run MacOS on non-Apple hardware.
There is already a bit mask value to allow "Unapproved Kexts" (mask value = 512) which we currently don't use, so that may be the one to use if and when Apple make this latest change. It should also be noted in the very latest release of MacOs there has been another SIP mask value added to allow un-notarized apps.
For more info on how to use the CSRActiveConfig parameter see my post here :-
Do you know if some elements of SIP can be turned on/off for a specific executable? @exquirentibus, The SIP level for MacOS must be set prior to booting the OS and once set the current level of SIP is global. Once MacOS is booted the level of SIP can not be changed without rebooting. On a...
www.tonymacx86.com
So you can rest easy as there is nothing to worry about.
Cheers
Jay