This has ~nothing to do with specifying module paths: it would be conceptually ok (if somewhat fragile) to create a module crypto provided that it does not define any packages that are also defined in GOPATH/src.
The problem here is that the existing ambiguous import error is not detecting the collision between the user's module and the standard library. That should be a much easier (and less invasive) fix.
I'm not sure. It should be a fairly easy fix, but it doesn't need to hold up the release; moving to 1.19 for now, but I may move it back if the fix turns out to be small enough to go in during the freeze.