For the record, in the context of fixing a security issue in the Gitea migration codepath @zeripath wrote:
We need to redesign the uploader/downloader framework to allow for stuff to be checked in a common and clean way so that no downloader can ever create an unsafe PR.