It does not turn off signature checking. It allows selective, whitelisted system apps to impersonate other apps after a permission is granted by the user.
Specifically, it allows the open-source, auditable microG apps to impersonate the closed-source, unauditable Google Play Services apps.
As much as I like the idea of running an Android device without gapps while remaining fully functional, and I feel this fork goes out of its way to attempt to remain secure, I just can't get past the fact that it's still a security hole. Eventually some bad actor is going to hammer at this hole until he finds a way in, then it's game over, restart from scratch.
I think the larger problem, the one that caused the microg gang to go this route, is the increasing control Google wants to hold over their platform. Fanatics always promote Android as the "open source alternative" to iOS and Windows Phone, but if you have to strip out so much proprietary gunk that it renders the device unusable, how can they claim it's open source with a straight face? Sure, the core Android code and kernel is still open, but there's a huge difference between being able to boot a device and actually using it daily.
This doesn't make sense to me. You already have other permissions (draw on top of other apps, full filesystem access, etc) that could be catastrophic to grant to malicious apps. If you don't trust yourself not to grant them, or you don't trust the Android permissions system itself to be implemented correctly, it's already game over.
(Edit to add: I agree with everything in your second paragraph.)
Signature Spoofing isn't enabled by-default and can be toggled on a per-app basis. A rogue app installed isn't going to have the ability to spoof another app unless you manually give it the permission.
The signature spoofing in this ROM can be granted only to system privileged apps (so, built in or installed through a ZIP in recovery): the user can't turn it off (why should he?), but no app other than microG can obtain it. In this way you can't even accidentally give this permission to a malicious app.
Specifically, it allows the open-source, auditable microG apps to impersonate the closed-source, unauditable Google Play Services apps.