Honestly, these conversations are tiresome.
I think rust probably just needs some sort of dedicated infrastructure security team to sort these things out. I am not interested in arguing these things in such a way.
Someone should take ownership of developing a threat model for infrastructure and use that to answer questions like the ones posted in this topic. Bars should be set.
These conversations have reminded me why I much prefer getting paid for my work, at companies with systems in place for this sort of discussion to be had in a semi-sane manner. If a working group for this sort of thing existed, we could answer this by just addressing the existing threat model, discussing implementation, and working to understand the complexity involved. In fact, this would all be driven that way.
So that’s my suggestion. Start there. Pushing for security barriers without that is more painful than I’m willing to tolerate.