I also have the same issue for a separate open source app. Case-ID: 16450175. No solution yet. Hopefully @Volker88 or @DTS Engineer can explain that resolution. Perhaps what happened is that back in the day if you published with MYBUNDLE identifier then your certificate implicitly also covered MYBUNDLE.watchkitapp. Then, either from time immemorial, or starting with some other watchOS release, this .watchkitapp became available. At the moment we are seeing this only with open source apps, with honest mistakes, for obvious reasons. But this is probably also a vector for denial of service against existing apps that are not open source. Probably only the ones that have been around since the early days of watchOS.

I use Mac apps and I do care about that contract. Thank you for working to minimize entitlements.

I would love to respect the world and make my app available in all the languages. But it will probably be easier to have the whole world learn English and eradicate all the other languages that it will be to get Apple to update their process+documentation for localized apps.