Instead of silently breaking they could have a popup like "Do you allow the preinstall script to write into /this/folder?" on a write operation outside of the sandbox.

99% of users will have no fucking idea what that means. They will either click 'Allow' (which makes this feature useless for 99% of people) or contact tech support (adds friction to installation, which is bad especially for conferencing software) or just give up and not use the product (which is bad for the company).

To be fair, it would at least ruin Zoom's incentive to do any of this, since they wanted a streamlined process that prompts the user less.

Why they didn't just use a dmg that has you drag the application into /Applications/ is something I still don't understand though. Surely that is the simplest most user friendly way to have non-technical users install applications without using the appstore.