it's in

mdls

info, likewise if you have santa it can give you the same info (although it would only get logged/scraped when it's an executable being launched, not unpacked from another artifact)

Agree, quick note both mdls and extended_attributes table will not show the origin url if you use incognito/private mode to download the file

yup, it's circumventable a bunch of ways, for a while it was opt-in by e.g. chat clients and browsers for if they would implement applying the quarantine attribute, etc.