Zero movement on this since for such an easy thing to implement, amounts to writing a single record like your profile.

However, this is fundamentally unenforceable. I think what we need is a successor to ATProto, call it Permissioned Transfer Protocol where content, activity, and metadata is not completely public and broadcast to the world. ATProto made some good choices for network architecture, and while they are looking to bolt something on after, permissions and privacy need to be part of the core design, not an afterthought.