Well, a bot could also just spam the repo full with nonsense proposals. I guess you'd need a repo whitelist/blacklist option, really, in ngit. Then each project could determine how to define that list. I wouldn't put it in the maintainers file, though.

Trying to account for malicious actors in each feature is too complicated. 

 Yes. I'm kind of new to spam prevention so the thought of working features around this excites me.
Users could opt in/out of the reports bans by the maintainers.
Although maybe a maintainer would prefer to manage these separately.