Reputation attack on third parties through rSAFor prompts

[johannhof]

As @annevk mentioned e.g. here, for browsers implementing prompts for rSAFor, a site A that has a bad reputation with users could request storage access for another site B without B's desire to be associated with A.

Chrome currently solves this through the application of First-Party Sets to autogrant rSAFor. Even if they don't agree with using FPS for autogrants, it's imaginable to me that other browsers might use FPS for e.g. restricting availability of the rSAFor prompt. Beyond that, I think it's interesting to consider requiring a .well-known file or a similar resource/opt-in for third parties.