Don't try to execute binaries when opening (using mouse click/keyboard etc.)
At the moment Nautilus will execute any file it recognises as a binary (e.g. ELF at least).
This happens regardless of the binary's location, in contrast to its handling of .desktop files (which seem to be executed only if in a whitelisted location, or if they've been explictly marked as "trusted", which is then recorded as GVFS metadata).
Though there might be some very uncommon edge cases where a user needs to launch a binary via Nautilus, it seems like a very bad idea to do this by default. For example, the user could inadvertently (or otherwise) download a binary file named "info.pdf." (note the trailing dot), then open it from Nautilus thinking it's a PDF.
I have tested that this happens using an existing binary from my system - tilix - by copying it to my user Downloads folder and renaming it to "info.pdf." (For some reason, Nautilus is terrible at identifying ELF binaries - gedit's binary for instance shows up as "unknown" in Nautilus despite the "file" command showing it as an ELF).
At the very least, Nautilus should treat binary files the same as .desktop files - whitelist some locations (e.g. /usr/bin) if absolutely necessary; for the rest, show an "untrusted" warning. But honestly I don't see the value in being able to execute binaries via Nautilus at all.