In Catalina, it appears that there's a networked assessment of new executables (including scripts). Nix is constantly generating new executables during a build, so I'm trying to get a bead on how stable/variable this effect is. (AFAIK, it's only meaningful to test this on single-user installs. We have yet to identify any way to successfully exempt builds under multi-user/daemon installs.)
Open 2 terminal tabs/windows and set up the first to monitor the relevant logs by running:
log stream --debug --info --predicate 'process == "syspolicyd" AND subsystem == "com.apple.securityd" AND category == "gk"'