and who would be responsible for turning the flag on/off? The user themselves? In which case aren’t we back to square one (with some/most users at least).
or perhaps a coordinator? Do they want the extra responsibility?
When you fear that will be a problem I would suggest to set the flag to false for everyone except experienced users like VE3TOK, DG8NGN, N1URO etc, and await requests to enable it for others. I would be OK with managing that for my area as a coordinator.
I don't think that users are especially malicious, they just don't know what they want and what they are doing. An extra procedure provides the opportunity to explain things more clearly (in native language) and most users would not require the extra functions anyway.
I also suggest to remove all gateways that have no subnets (those are likely the result of experiments that never went anywhere) and all gateways related to user accounts that have expired. They are easy enough to re-add when desired.
There could be logging which gateways returned "ICMP - dest unreach" on the RIP broadcasts, if so those that did so for a long time could be removed as well. Then it is easier to have a closer look at what remains, to check if there are likely config errors.
Rob