Again I think we're talking about different things.
> We just haven't had the benefit or forcing function which encourages a solution to "that stuff over there is less trusted than my stuff over here".
No the problem is we can't let people say "that stuff is someone elses fault" when it is their own fault.
Scammers will claim subdomains are actually just not them and are other bad actors, and you're back to loads of phishing pages.
> Maybe we're at the point where hosts of any kind MUST be responsible (or accountable) for any content originating from their domain?
We already are at that point, the PSL is to get past it for cases where people host on subdomains. Netlify shouldn't have to risk having every customer flagged if one customer is a phisher. The curation is vital.
The other solution would be to have another approach around hosting where verifiable owners could publish wherever they want and it's tied to a real entity, but that has other worrying outcomes I assume.
If you reread my final paragraph (MUST be responsible) then in think we're reaching the same conclusion: "on behalf of" is untenable for small hosts (ie: anyone smaller than Google or Facebook)
The other way of looking at it might be similar to "DMARC-4-HTTP", ie: sign Content-Length, Content-Sig with a public/private key and if you include `SELECT comments FROM evil` then that "taints" your key.
It gets back to netlify that index.html would be signed by netlify.gpg, but haxor.netlify.com would be signed by not_netlify.gpg
> We just haven't had the benefit or forcing function which encourages a solution to "that stuff over there is less trusted than my stuff over here".
No the problem is we can't let people say "that stuff is someone elses fault" when it is their own fault.
Scammers will claim subdomains are actually just not them and are other bad actors, and you're back to loads of phishing pages.
> Maybe we're at the point where hosts of any kind MUST be responsible (or accountable) for any content originating from their domain?
We already are at that point, the PSL is to get past it for cases where people host on subdomains. Netlify shouldn't have to risk having every customer flagged if one customer is a phisher. The curation is vital.
The other solution would be to have another approach around hosting where verifiable owners could publish wherever they want and it's tied to a real entity, but that has other worrying outcomes I assume.