Who said only 1 layer ?
You sandbox the browser
you put the installer on a different user
you make the installer always open a popup
you ask for the password/pin
If a JS script can bypass all of this then you have a bigger problem, the malware developers can easily already have a dummpy app already in the app-store that is signed by Apple, the installer signature is the last thing you should worry about in this case (better disable JS now)
