It seems like is_executable() will always return true for .exe files when you're using Windows (thanks for @ashley for checking for me). On Linux it actually checks if the executable bit is set. So currently MinusX is OK with .exe files on Linux, but on Windows it will fail, leading to https://gerrit.wikimedia.org/r/#/c/386966/
I think the situation we want is that these files are not +x in git, but the tool should pass regardless of OS it's run on. I propose that we whitelist application/x-dosexec only when it is run on Windows. Does that sound reasonable?