The executable that Windows is warning you about isn't downloaded. It's actually embedded in reflector.exe itself and extracted at runtime to allow Reflector to update itself once it's downloaded the new zip file.
I agree that it's an annoyance that the updater exe isn't signed, and one that we should definitely fix, however reflector.exe itself is signed, as is the zip file that you (or Reflector) downloads from the website. This means that if the updater exe was modified it would break the signature on reflector.exe and therefore I think it's a bit strong to suggest that we don't care about protecting our customers.
I hope this information is helpful. We will try to get it fixed in the near future.