You're amazing. Thanks so much!
I never thought that those executables could simply be bash scripts. That clears it all up!
The `otool` works on the bundled binaries, but I don't know if it can show signatures. Anyway, used jtool2 from newosxbook.com (it's not open-source, so use it at your own risk) and it did show the Oracle signature. (`./jtool2 --sig /Applications/VirtualBox.app/Contents/MacOS/VBoxManage`)
One last question (I promise): Does MacOS automatically add the Provisioning Profile to System Preferences when copying an app bundle to Applications with a profile that has restricted entitlements, or do app installers have to deliberately install such a profile for their non-GUI binaries to work?