I don’t think the case of “switching from fetchFromGitHub to fetchgit with the exact same result but not being able to pay the cost of another download/build” is very common/compelling, to be honest. We cause rebuilds for far sillier things than that in practice.
I don’t think that encoding more in the names of FODs would solve the fundamental security issue here, but it would at least make the exploit conditions meaningfully harder to achieve, as well as fixing the incredibly common and annoying UX issue of changing the version but not the hash without getting an error. I am in favour of landing Make `fetch*` source derivation names (optionally) more descriptive and homogenize them across fetchers by oxij · Pull Request #49862 · NixOS/nixpkgs · GitHub and adjusting the default. I have a feeling that the only reason we haven’t done it is because nobody feels like being the one to make the call (though of course it ought not be done in this particular current stage of the release cycle).