Hey Richard,
Should we have a higher level of attention to these packages? We already have "critical path", but that's a broad category now. These seem like they are "security path" packages, an intentionally small subset associated with very secure services which are enabled by default.
It sounds like a good plan to put certain dependencies on a critical path. Perhaps anything that is used by packages included in the various editions of Fedora that allow for remote access (even if disabled by default) could fall under that path?
We could also try to ensure that packages do not contain any binary blobs and instead require generation scripts for those that we can run ourselves.
Regards,
Simon