These certificates aren't in the Web PKI and so they aren't covered by (most of‡) the Web PKI's rules and there is no requirement to log them publicly before use.
For example they would lack the 1.3.6.1.5.5.7.3.1 EKU which says their purpose is to identify an SSL/TLS server.
The market for these certificates is pretty different from the Web PKI market.
‡ When they're issued by a CA which would also be trusted in the Web PKI some requirements cross over because of that, particularly Mozilla wants to be sure that certificates issued under these hierarchies are never "accidentally" valid in the Web PKI without obeying its rules.
Windows is my daily driver, and I'm security-minded - yet I haven't noticed different colours for UAC dialogs depending on signature type. I notice if it's not signed at all, of course, but otherwise... no?
I would imagine most typical end users are the same. Similar to how browsers are not actually, where they make it really obvious if a site doesn't use TLS, otherwise it all looks the same.
The comment you're responding to doesn't make this especially clear, but code signing only /has/ certificates with organisation names subject to an extended validation. The rules for those are:
Whereas for the Web PKI (things that do SSL/TLS, including most obviously HTTPS on the web) there are both the baseline requirements for every certificate:
It's kinda useless to have a certificate that says this program is really named "Great Calculator". Oh yeah? So what? Whereas a certificate that says it's from "Microsoft Corp" in "Washington, US" at least tells me whose fault this calculator program is when it wrecks my PC.
On the other hand, knowing this is really https://news.ycombinator.com/ is kinda good because the machine can (and does) automatically check that this matches on every single URL resolved, every image, every HTTP POST, everything.
Oh, I've bought code certificates before - I didn't realise the ridiculous process I had to go through was "extended validation "?!
I had to give them a published telephone number for a callback. I don't publish a phone number, so I setup a Skype Number and published it in a free Yellow Pages kind of site - they did a callback, which obviously totally proves I work for Acme Stuff, and then I removed the listing and Skype Number.
I recall there were a couple of other bits of theatre I had to endure, publishing information on random listing sites that don't do any validation of their own, but I don't remember exact what.
I always thought code signing was a class of its own (especially since i also saw the names of people in those, which directly contradicts EV as ev cannot be obtained by people, only legal entities like companies or govs or whatever) but okay.
EV certs are still useful for code signing. At least on Windows UAC warnings look differently if binary is signed with EV certificate.