...if you're interested in more details on the macOS variant see, "Discharging ElectroRAT" https://objective-see.com/blog...

For non-app store downloads, Gatekeeper is supposed to be this check (e.g. the user can say only allow signed apps or only apps from the app store). So yes, any HTTP download can be modified - the vulnerability here, is that Gatekeeper can be bypassed to run the injected unsigned code, even if the user had set Gatekeeper to only allow code from the Mac App Store.