Should Civi core provide a secure, standardized approach if extensions want to provide automatic self-updating? (Such as what CiviMobileAPI does)

CiviMobileAPI provides functionality for automatic self-updating (e.g. https://lab.civicrm.org/extensions/civimobileapi/-/blob/master/CRM/CiviMobileAPI/Utils/Extension.php). Some of it is using core API, but some of it is doing its own thing with hardcoded values:

  /**
   * Get latest version of extension download link
   */
  public static function getLatestVersionDownloadLink() {
    $version = CRM_CiviMobileAPI_Utils_VersionController::getInstance();
    $downloadUrl = 'https://lab.civicrm.org/extensions/civimobileapi/-/archive/';
    $downloadUrl .= $version->getLatestFullVersion() . '/civimobileapi-' . $version->getLatestFullVersion() . '.zip';

    return $downloadUrl;
  }

As far as I know Civi doesn't do any package signing to make this process more secure. At the very least, I think Civi should centralize this process to make this more secure.

Some things that would make this more secure:

package signing
put the toggle for automatic updates on the main extensions page. Perhaps a toggle for each extension.
provide core API for the whole process so extensions don't need to roll their own approach.
ensure that an extension is using an official path.