I think this leads us back to the OP's initial question then. Can anyone provide us a comprehensive description of how the unmanaged detector works?
If it is checking each endpoint for SEP, then how does it do it? Is it monitoring for SEP heartbeats coming out of the endpoint? If so, does this require the endpoints to be attached to a hub rather than a switch?
If it's doing an active query, then how does it do it? It's not like SEP is listening for requests to make itself known. If it's asking Windows if SEP is installed, then what creds are used to authenticate to it?
Just to confuse things further, my own initial tests here indicate unmanaged SEP clients and SEP clients managed by another SEPM are logged by the unmanaged detector (or at the very least, a SEP12.1RU1MP1 unmanaged detector is unable to detect the presence of SEP11RU6MP2 on another endpoint and says it's unmanaged).
This behaviour is consistent with how I believe the unmanaged detector works, but conflicts with what the Symantec guys have posted. As such, a conprehensive writeup would be much appreciated.