I fully agree with you regarding the ruleset for quarantining.
In the meantime I have released the app in the macOS App Store with the entitlement "com.apple.security.files.user-selected.executable=false", because Apple has not granted the right to use it yet. At the same time I have opened a support case, because for the specific app, not to use the entitlement introduces a security issue from my point of view.
The app implements file level deduplication for APFS and replaces all duplicate files with clones, in order to free up disk space. After replacing a file with a clone of a duplicate, the app replaces all metadata of the clone with the metadata of the previously removed file. This works fine, other than that the quarantine extended attribute is set if I don't use the entitlement. As a result the deduplication app overwrites all existing quarantine extended attributes of deduplicated files, which may be a security issue for the user. The user gets warnings that files were downloaded by "diskDedupe", even though the file was actually downloaded by another possibly dangerous app. My app does not change a single bit of any file, it performs only cloning of existing files and changes metadata like timestamps etc. still unfortunately the quarantine extended attribute is set by the OS. I have published a workaround on the apps website to remove the quarantine bit for now, but it would be much better, if macOS would not create quarantine bits for clones at all.
The Apple support engineer agrees with my point of view and is currently trying to convince the app review team to grant the entitlement for security reasons. But the app review team is not responding since weeks now (the app is "in review" since more than 4 weeks now without any notice).
Update: Apple has finally rejected the app with "com.apple.security.files.user-selected.executable" set to true. I released diskDedupe without the entitlement and published a script to remove the quarantine flag on the support website.