People are disregarding model where registry is responsible for what they publish.

Your solution does exactly that. Giving hooks to end users just pushes the responsibility to the users.

Yes all issues were publicized and marked in hours. Sorry but hours is not good enough when there is countless CI pipelines running in a single hour.

Only solution is not allowing to publish malicious stuff. Cooldowns are also not the solution because possibilities to publish malicious code is still there if no one reviews it.