This is very helpful thread, so many ideas that I can learnt from this thread.
One of the thing, that I think it missing here is the idea to run all crates in secure-sandboxed environment by default, with no network access and no file system access. This will make sure that all crates are do what supposed to do, for example: linter lib should be just read and write and cannot access any network.
As a rust users, I want to run all my projects in sandboxed environment with crates-level permission to access network or file system. And yes, it needs to be combined with other ideas such as 2FA, signed etc to create a more security on the crates distribution level.