It says it requires a “provisioning profile”, whatever that means. I assume they still won’t let a typical user just download the app they want from the Internet, bypassing Apple’s walled garden entirely.
> They must be signed by a certificate that’s trusted on the device.
The user's device has to trust the developer/enterprise certificate, which then signs the app. Users can import certificates and CAs, it's a manual step on devices that are not managed by MDM. This is mostly used by enterprises, but can be used in other contexts where users trust a developer to sign software (and not sign malware!) for their device. That implies the developer securing the signing key.
