The response was, "needs a discussion," as in a post on `https://codeberg.org/forgejo/discussions`, rather than directly creating a PR.

There also was feedback saying approximately that they've been burned by security changes in the recent past and don't want to run into similar issues without due consideration.