consent in aframe-verse.json privacy security e.g.

[coderofsalvation]

a verse-JSON description should give hints to the host-verse, for example:

aframe-verse.json

features:{
  "NAF": true,   // when set to true, non-multiplayer verses can block this verse
}
  

[coderofsalvation]

Actually, I'm going to leave this out of scope for now.
Security can be hardened by the developer(s) when the need (more users e.g.) arises.
This is enough for most cases.

Introducing a-priori consent-flags in the aframe-verse.json-schema against imagined theoretical threats (of an imagined large-userbase-size) would pivot this project into a completely different totalitarian adventure.

Instead, like in the realworld, the responsibility lies between endusers & developer(s) of a verse.
The developer(s) of a verse are in control of their aframe-verse.json and which external aframe-verse.json-files they (dont) want to link to.
The developer(s) can also agree with another verse on certain property-values in aframe-verse.json for finer-grained controls/security.
Ultimately, the enduser has the power to visit a verse (or not).