In other frameworks, I've seen codeSignature included in dynamic cases. because dynamic frameworks have "embed and sign" option. but this time Apple said, "Signatures are so required in these cases where the listed SDKs are used as binary dependencies." Does that mean that even if the ".framework" file of the SDK you are deploying is static, you have to include codeSignature?
and if a framework is not included in Privacy-Impacting SDKs list, is it okay not to sign?
If you watch the presentation from last year's WWDC (2023), you can understand that:
From this presentation, Apple stresses the importance of signing SDKs and encourages SDK developers to do this and for application developers to ask this from SDK developers.
To answer your questions, Apple likes to keep things vague and it is not 100% clear what you MUST do. I can estimate (emphasis estimate), that Apple might enforce signing for SDKs at some point in the near future.