Signed MacOS release with autoupdates disabled (for use with Nix)

I have been attempting to port Mullvad Browser for MacOS to nixpkgs for use with the Nix package manager on MacOS: https://github.com/NixOS/nixpkgs/pull/283874

However, I cannot package it with auto-updates enabled -- because I want Nix to manage the updates. Auto updates can be disabled within Firefox via policies.json as described in Firefox's documentation: https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos

I also tested what happens with installing an old release (13.0.7) with Nix and auto-updates completely broke the browser after the update completed.

After a lot of testing, I have found that on MacOS I can only deploy a custom policies.json in Mullvad Browser after the .app is installed on my system. If I modify it before it gets on my system i.e. with Nix, I have to remove the code signature like so:

/usr/bin/codesign -fs - "$out/Applications/Mullvad Browser.app"

This gets the app to launch but basically breaks all of the functionality of the app (crashed tabs, unable to browse the web, etc.).

Is there any way we could see a signed release of Mullvad Browser on MacOS with auto updates disabled for use in Nix? Or, is there another way I could disable auto-updates without modifying the .app?

(I want to also port the Tor Browser for MacOS to nixpkgs, but suspect the exact same issue will be present -- so if this could also be addressed with Tor Browser that would be fantastic!)

Original issue containing more comments: https://github.com/mullvad/mullvad-browser/issues/219