I don't know whether that would be acceptable to controller authors and users.
I'm fine with a couple things... * adding a tor provided blacklist * adding a tor provided whitelist *if* Tor itself fails to start when the torrc has an CookieAuthFile outside of that list and all versions which allow for non-whitelisted files are flagged as obsolete
It would cause confusion for users to be able to define any arbitrary cookie path in Tor, then have some controllers provide buggy looking behavior by failing to authenticate.
As mentioned in irc this Safe Cookie proposal should also include the deprecation of the current CookieAuthentication option. Otherwise a malicious socket could simply claim to only support non-safe cookie authentication to still trick controllers into divulging the cookie. Users could tell their controller to only allow safe cookie auth but in practice users, of course, won't do that.
Cheers! -Damian