It seems to me the obvious solution is to extend the "parental controls" install permission feature, and add an optional restriction API for "sideload apps" (like on Android). This would handle the "I want a locked down device" scenario for MDM and parental controls users.
Those who want an unrestricted device could enable sideloading (which would permit non-apple-notarized apps to be installed), and permit non-expiring developer self-signed apps. Then the free market could go ahead and develop "stores" and alternative ecosystems.
Those who want an unrestricted device could enable sideloading (which would permit non-apple-notarized apps to be installed), and permit non-expiring developer self-signed apps. Then the free market could go ahead and develop "stores" and alternative ecosystems.