Forget about trust for the moment. Let's say the goal is to prevent
the kernel from creating any bindings other that those in some small
"allowed" set. To fully specify one of the allowed bindings, you
would have to provide both a device ID and a driver name. But in
practice this isn't necessary, since a device with a given ID will
bind to only one driver in almost all cases, and hence giving just
the device ID is enough.
So to do what they want, all that's needed is to forbid any bindings
except where the device ID is "allowed". Or to put it another way,
where the device's authorized flag (which can be initialized based on
the device ID) is set.
(The opposite approach, in which the drivers are "allowed" rather
than the device IDs, apparently has already been discussed and
rejected. I'm not convinced that was a good decision, but...)
Does this seem like a fair description of the situation?