Even if everyone used it, the security scanners would still have time to do their static analysis of new packages. Basically, all the clients implementing a delay would create a de facto quarantine status for new packages so they can be examined before everyone starts installing them. (Why npm doesn't just implement that themselves, I do not know.)
I think if they did it, then attackers would be able to iterate their attack against their own project, and once it passes the filters they could deploy for real.
I guess it could work better if it was enabled for only actual attack vectors projects.
That’s my point. For whatever reason, npm isn’t doing it. All npm users adding a minimum package age is kind of like doing it as a collective, without npm’s help.
Many places run analyzers on published code; many security users have reason to shorten the period. The default period becomes the period where white hats have a chance to detect it and stop it passing the threshold.