Right now, On-NoSignature action gets blindly applied by the verifier even so there is no policy reord available for the author domain and thus may lead to RFC breakage/unwanted results. Thus
On-NoSignature action should be used ONLY when there is a policy record available.
That means, since "all" and "discardable" checks have already passed the code in question, right now "unknown" aka "domain might sign some or all email" is the only one left over - and here it is indeed the choice of the postmaster, what to do.
Just in case if there is a radical admin, which really wants to reject all messages having no signature, there should be an additional config flag (e.g. AlwaysRequireSignature), which may allow this questionable behavior.
suggested path attahed.