The key feature is that MacOS does not allow just 'any old junk' from anywhere to become Executable.
The second feature that makes the first one bulletproof is that malware can not attach itself to parts of the System.
MacOS shares a lot of the lock-down mechanisms developed for the iPhone. Applications are all sand-boxed with a list of the resources they require, and they cannot access anything outside their sandbox without crashing. Signed Applications are checked that they are from legitimate Developers, and Notarized Applications are delivered with the assurance that they have NOT been modified since their release by the Developer.
Introduced just before MacOS 12 Monterey, the system is now on a Separate, cryptographically—signed ‘sealed System Volume’. The Mac runs off read-only snapshots of this volume, which is not writeable using ordinary means. Any unauthorized changes to the crypto-signed volume are very quickly detected and you are alerted.
So you could store just about every malware known to mankind on your Mac, and your Mac would not get infected spontaneously. Scanning for virus-like patterns might make you feel a little better now, but non-stop scanning is outdated nonsense, and a tremendous waste of resources.
Nothing can become Executable Unless/Until you supply your Admin password to "make it so".
--------
Some users may prefer to create a new Admin User with a unique password (be sure to write that password down somewhere). Then log in as the new Admin and demote their daily-use account to an "ordinary" non-Admin account. In that case, nothing can be installed "by accident" because you will need to provide both the Admin Username AND Password to install anything. This gives you an additional step to pause and think about whether you really want to do this.