We already do cooldowns and disable preinstall and postinstall scripts on all packages except for ones that actually require it.
I bet if you looked at 70% of your dependencies pulled in, you would be horrified. I would rather have that capabilities via code in my repos at this point.