If a regular security posture user wants to check that malware was installed, I like both a scanner for known attacks and something that looks for persistent processes being hidden. Most people like me and my family, relatives, work colleagues that aren’t involved in super secret work - I would say if you didn’t install anything and you don’t see anything going crazy like browser redirects then you could safely trash the file and perhaps be sure Safari doesn’t open “safe” attachments and be sure your backups are set. If you are super at risk of harm due to malware (human rights worker, journalist (especially one critical of the following powerful groups), a potential target of a nation state or large corporation, or just a public figure - think globally recognized celebrity like Beyoncé) you should assume you’re compromised and seek professional help to be sure you’re secure or educated about your risk tolerance and operational security practices. Most run of the mill software won’t cause any harm, run any code, make any changes just because you downloaded a DMG.
There are occasionally programs that exploit a bug in the OS to infect your macOS without typing an admin password, and those generally are patched quickly and depend on you not having the current latest security updates installed.
