policy: Consider if tooling/libraries should have a default policy
Mentioned by @jas, I think it's a good idea but needs some thinking about how to achieve it. Hardcoded? Download signed, sigsum-signed, etc? And why / what's the motivation for doing one over the other.
Please think about this @nisse and then we can discuss it some more. Possibly related to #49 and #50.