OK, so I submitted the entire zip to microsoft for malware analysis and there were too many files in it, so I resubmitted the binaries only and nothing was found. Note the submission was for testing with MS Defender for Windows 11, their submission process only allows you to test one tool at a time and I'm guessing the above screensheet is Windows11 .
So I guess until software signing becomes free or at least realistically affordable for indie/open source devs, we're just gonna have to put up with this bullshit.
Signing is apparently expensive because of the need for 'auditing' (which imagine would be another barrier for indie devs), yet 'LetsEncrypt' website signing is free and all you need for that is the server you plan to use. I guess proof that you have write access to the server is good enough proof of identity - or at least proves you're responsible for it - and there's no real equivalent in software development?
I do plan to start including hashes with my downloads in future though. Just as there's a chance Blitz3D-V1.113.zip contained malware when I uploaded it, there's also a chance the zip was infected somehow 'in transit', and hashes are a simple way of proving at least that (alomst certainly) hasn't happened.
I haven't found anyone interested in my 'double building' idea yet though, so you'll still have to trust the zip wasn't infected 'at source'.