Few people inspect the source code of every dependency they use; people just don't have that kind of time or expertise. The community will have these needs met whether SPM does it or not, so if there's interest in support such a feature at all, getting started now and adding security over time seems better than delaying the feature and forcing everyone to use different tools that don't offer such security anyway.