I am happy to help fund this.
The #withdrawal-methods @jgm has discussed the option of a social mechanism where validators could optionally provide a text file to request what withdrawal address to allow. My eth2 validator key is compromised (I took notes, and forgot I took them… I am very ashamed) and I would strongly prefer requesting that the only allowed withdrawal address should be my eth1 deposit address (which is not compromised).
I can still sign messages with both my eth1 deposit key and eth2 key. The attacker cannot.