Now that we have a signed installer for MacOS, the next step is to sign the Windows binary releases. SignPath provides a free service for acknowledged open source projects. I have implemented the requirements. In particular build the binary using GitHub actions and enforce 2FA for the all members of the SWI-Prolog organization on GitHub. After that, I applied for the free signing option.
If all works, this should ensure signed binary installers for releases. The process is said to require manual intervention, so the nightly builds will remain unsigned.