(the linked post mentions C# but the wording leaves it a bit open what was really used)
Instead of talking about "trust" I'll go with my usual "trust no one" and instead think about situation where every downloaded executable needs to be considered malicious and how to make handling that situation as easy as possible. The key here is to make it easy to determine whether particular download is malicious or not. If user ops to trust anyway well that's their option. But those of us who choose to never trust should have our life made easier.
Instead of "anti-virus" (which according to the gta5forum thread, none in virustotal alerted about this. anti-virus is a trust based concept - it requires me to trust the AV vendor and wait till they have analyzed everything I want to run) ...
... have a hook in OS that decompiles executables before running them and then compiles the decompiled code and runs that instead. This ensures that every bit of code on the system is a) moddable should you want/need to b) easier to verify with code analysis tools for malicious behavior. Then ...
... if user wants to run code that didn't decompile cleanly, they need to approve that or opt to run them in some sort of "secure desktop" that is essentially a virtual machine that's super easy to use, embedded right to the Windows shell. eg. No need to install VM software, you could just have multiple desktops and then checkbox would turn them into VM. Then various drives and folders could be disabled from the VM from right click context menu. Also you could opt to set the vm desktop to be clean except for stuff that was installed (updates apps). So after clicking that box, all apps installed on "host" would appear in the VM clean but in state that was like if the app was just installed, without user data. (obviously any Windows updates installed in the "root desktop" would get installed also into the virtualized desktops without taking any more space on disk unless you opted out of that. So the virtualized desktops are essentially same as the first user desktop by default, and user the opts out of existing things instead of needing to re-install everything like in VM's today)
For "bonus points", everything in the VM secure desktops would be fully auditable from a "root desktop" which had tools similar to process monitor/explorer, sysmon etc and was able to monitor all the secure desktops, so malware running in the secure desktop vm's would not be able to see that any monitoring tools are even in use.