But none of those would have helped in this case, where each dev/user intentionally installed the package specifically so it could retrieve data from the WhatsApp API.

What would have helped is if the dev/user had the ability for the dev/user to confirm before the code connected to a new domain or IP - api.WhatsApp.com? Approve. JoesServer.com or a random IP? Block. Such functionality could be at the OS or Docker level, etc.