While there are some benefits to signing your PowerShell code, security really isn't one of them, at least not if your goal is to prevent malicious scripts from being run on your machine without your knowledge. It can prevent malicious tampering with existing scripts and automated processes, but if something is run on your system that attempts to execute a malicious PowerShell script, it does not matter what your Execution Policy is set to.
Setting the Execution Policy sets the default behavior of PowerShell. It can make it harder for you to accidentally run something you haven't explicitly trusted, but if a malicious actor has the ability to call powershell.exe, then that malicious actor will be able to run scripts on your system with whatever permissions they already have. So, for example, if they convince you to open a Word document with macros to launch PowerShell in the background to download and run a malicious script, then they will have no trouble doing that, and with the same permissions you have.
To stress that point: it does not matter if you set your Execution Policy to "Restricted" to prevent any and all scripts from running, as it will not stop a malicious actor from running scripts on your system. The only person it makes running scripts harder for is the user of the system.
So, how is it that Execution Policy is so easy to bypass? Doesn't it require administrative permissions to change?
Yes, it does require administrative permissions to change…system wide. As I mentioned before, that only affects the default behavior of PowerShell, but individual instances of powershell.exe can be run with a different Execution Policy, using the -ExecutionPolicy parameter. The only permission required is the rights to execute powershell.exe itself.
To demonstrate this and validate it on your machine, do the following:
Launch a PowerShell console as Administrator
Run the following command: "Set-ExecutionPolicy Restricted"
This is the most restrictive Execution Policy available, and will not allow any scripts to run by default
Make a folder at "C:\temp" (or wherever you want, but make the necessary adjustments to the batch files below if you use a different folder), and create three new text files called "EP-Demo.ps1", "EP-Demo-1.bat", and "EP-Demo-2.bat" (make sure they don't have a hidden ".txt" after them)
Edit "EP-Demo.ps1" and paste the following into it (minus the number):
Write-Host "The Execution Policy is set to: $(Get-ExecutionPolicy)"
Edit "EP-Demo-1.bat" and paste the following into it (minus the number):
powershell.exe -Command "& C:\temp\EP-Demo.ps1" pause
Edit "EP-Demo-2.bat" and paste the following into it (minus the number):
powershell.exe -ExecutionPolicy Bypass -Command "& C:\temp\EP-Demo.ps1" pause
Double click on "EP-Demo-1.bat" and "EP-Demo-2.bat" to see this in action
Demo-1 will show the default behavior (what you would get if you just try to run a script under "Restricted", assuming you completed steps 1 and 2 above) and Demo-2 will show how easy that is to bypass with one simple parameter
As you can see, there is really no security benefit to changing the Execution Policy: if something can run powershell.exe, it can execute scripts just as easily. It doesn't matter if it is being launched from a batch file, a VB script, a C# program, or a Word macro.