Signature Spoofing isn't enabled by-default and can be toggled on a per-app basis. A rogue app installed isn't going to have the ability to spoof another app unless you manually give it the permission.
The signature spoofing in this ROM can be granted only to system privileged apps (so, built in or installed through a ZIP in recovery): the user can't turn it off (why should he?), but no app other than microG can obtain it. In this way you can't even accidentally give this permission to a malicious app.