Based on https://developer.apple.com/documentation/Xcode/verifying-the-origin-of-your-xcframeworks
It seems like it is possible to self-sign third-party SDKs. It looks like XCode will track a signed framework from the point when it was first introduced in your XCode project. If the signature changes, it's a sign that that framework has been tampered with.
There are legitimate reasons why a framework signature may have changed including:
the provider of a third-party SDK transfers ownership of the SDK to another organization, who release a version that’s signed with the new organization’s Team ID.
you switch from a vendor-supplied distribution of an XCFramework to a version that you build and sign yourself.
A changed code signature can also indicate that the XCFramework has been tampered with, or another actor has injected their own code into your system, pretending it’s a version of the XCFramework.
In which case, XCode suppose to show a dialog alowing you to accept the change.
I haven't tested any of this myself but it does seem to be open enough that you can make modifications to a third-party SDK.