We should collectively make sure that any PRs trying to land these changes are very well reviewed. We wouldn't want any security holes to slip by. I think a couple dozen rounds of reviews should suffice. I've heard great things about how productive AI can be at generating very thorough code quality assessments. After all, we should only ship it once it's perfect.

To be more direct - if you're in any editorial position where something that smells like this might require your approval, please give it the scrutiny it deserves. That is, the same scrutiny that a malicious actor submitting a PR that introduces a PII-leaking security hole would receive. As an industry we need to civil disobedience the fuck out of this.

The PRs should only be allowed if they only create a flag when the user is underage. Otherwise its just another point of data that makes fingerprinting easier.