That moves this in the right direction, but still has secerity challenges. You need a path for the legitimate package author to reactivate their account after domain expiration, which means you need another way to trust you're talking to the same human as before the domain expired. This is where stuff like PGP comes up, but that comes with yet more challenges.
You still can't tell whether a domain was automatically renewed at expiration by the owner or by an attacker. A lot of registrars will auto-renew at the expiration date, or close enough that you can't tell from WHOIS records.
Maybe there should be some metadata that indicates whether a renewal is approved by the previous owner. That might require some extra administration by domain registrars and probably couldn't be applied retrospectively, but it would be useful.
The other place where this potentially matters is CAs issuing TLS certificates for domains that expire before the certificate does. If they detect that a domain they have issued a certificate for has been subsequently registered by a new entity, they should revoke the old certificate.