The plan is to first nail down this low-level API, and then specify a high-level interface wrapping the low-level one that makes it much easier for most developers to get things right.
I see talk in those threads about how the "low-level API" is logistically the right move, but not a lot of talk about how it's right in an engineering sense. Is it possible that the cart is pulling the horse here?
I don't think that's enough -- in fact, I think it's worse. The low level API inherently has a broken trust model, and using that as a stopgap is going to be worse for security than it not existing at all. If anything, the low level API should be tabled in favor of the high level.