The trouble is the constraint mechanism is outside of the inherent chain of trust logic and is checked using application level logic.

So you have to modify all potential clients for this constraint to be enforced. So it's effectively worthless as there is no way to roll it out in any meaningful sense.