La la la, Apple can't hear you
What Wardle found was that Apple's whitelisting mechanism only checks the cryptographic signatures of applications' executables, not every piece of additional code that they load and run, such as plugins.
Which is exactly the same well-known problem that Gatekeeper has.
Presumably in any dev meeting about this feature someone should have piped up with this problem. Were they dragged away for re-education?