allows anybody to inject unsigned code into internet downloads. Then, even if the user has set Gatekeeper to only allow code from the Mac App Store, the unsigned code is allowed to run
Wrong. Anyone can inject code into any data stream trivially. It's getting it to run that's the tricky part. How exactly are you going to do that? If the code that's performing the download is in on the plot, then fine, but a) you would have to get that code past the App Store review, and b) you would have to expect Apple to revoke your signature with maximum prejudice the moment you were caught, and c) you would still have to work around the sandboxing all App Store apps require to do anything truly nasty. Getting an innocent app to run the injected code is another option, but that's back to requiring some other known exploit, such as a buffer overrun.
The short answer is: injecting the code isn't the problem, getting it to run undetected is.