But other code from the same origin might not be signed, which could break the security assertion of code signing.
The unit of signing should be the same as the unit of isolation, i.e. the origin. Or, the origin should be expanded to include a 4th element, the signing key(s). I don't know how to achieve that in a way that does not bring with it the operational risks (bricking) of HPKP and TACK.