Based on discussions on the forum, it is recommended to only notarize the installation package and not the contents of the payload and then the installation package.
This means that the payload of a package submitted to the notarization server will be inspected and the appropriate items in the payload can be stapled.
Question:
What about the Installer Plugins and the contents of the Scripts archive inside a distribution and a package?
Are they also inspected and notarized by the server?
Is the stapling process able to add the tickets to the Installer Plugins and the contents of the Scripts archive?