Send them a request to have Trusted publishers support at central-support (at) sonatype.com

I did that a couple of weeks ago and received an acknowledgment "Another request on Trusted Publishing option. Assigning to Product for review and further action." so this is a bit encouraging.

At least Maven dependencies don't execute scripts on install, but Maven plugins could have a big blast radius.