At the moment if a user provides entitlements, it applies to both the app bundle and to UpdateMac.

There are cases where the required app entitlements are incompatible with UpdateMac, preventing it from starting.

Seems to me like always using the default entitlements for UpdateMac should be sufficient to fix this, I can't see any reason why you'd need to override these.