Re: Is this really about "security"?
Using hash values to determine reputation is exactly what endpoint security vendors have been doing for years. How old is the code? How widespread is it? The overt purpose is to block new & emerging code from running (ie: polymorphic malware).
The difference is endpoint security vendors tell you what they are doing and why. Apple, on the other hand, is taking the approach of "oh, damn, you weren't supposed to notice". That betrays their privacy marketing message and undermines the trust of their brand.