Issue is this is such a pain (and shuts out a large percentage of the world population) that you'll inevitably get a parallel ecosystem of packages without these onerous controls that everyone would end up using.

I don't know how to square the circle but any variation of "make it safer but really painful and difficult for anyone to publish a package" has this problem