- binaries will also be able to be pinned to specific versions, since one version of the manifest specifies concrete versions of the binary artifacts through checksums. The pinning is even slightly stronger, I don't think we catch deleting and recreating a tag.
Pinning the version is fine, and the Package.resolved already does this. But there's no real correlation between the source @ v1.2.3 and the binary @ v1.2.3, just implied. 
- my take on the opt-in for specific packages is that this is more of a workflow feature for individual tools to figure out than part of the core manifest (mentioned here). If we agree that this is true, it might make sense to mention that in the proposal.
Hmm... not sure I agree on that part, especially since it's SwiftPM that is now pulling in the binaries. It'd be one thing if the external binary was being pulled in via some external workflow measure and SwiftPM was just providing flag annotations for the compiler.
The only real way I could see that working with the proposal today is a pre-fetch of all of the top-level packages you depend on, adding in the disallowBinaryPackages: true setting those Package.swift files, and have your Package.swift reference the local copies instead.