While https://phabricator.kde.org/D4534 "[Folder View] Don't show script execution prompt on desktop:/" fixed the prompt for executable .desktop files on the desktop directly, it breaks again when those files are in a subfolder on the desktop and accessed through the cascading view. Maybe the check should be successful for all paths starting from desktop:/ without ".."? This probably needs some discussion first...
Well, that'll introduce a vunerability when you extract an archive onto your desktop which Ark by default puts into a subdirectory.
Because ark can make the contents executable, right? Sounds like we need a way to differentiate between an executable file that was locally created by a trusted process (e.g. a desktop file made by KIO) vs one that came from somewhere else or was created by an untrusted process (e.g. downloaded from the internet, un-archived from a zip file, etc).
This was fixed a while ago. Can confirm it's working now.