I started work on the git-hashing experimental feature (see also this comment Obsidian Systems is excited to bring IPFS support to Nix - #65 by Ericson2314) in large part because of this source of thing.
Ideally all fetching would start with a source control signature (signed tag, signed commit, etc.), and we will simply traverse the Merkle structure from there until we get all the source code we want. Filtering can happen in subsequent steps.
When we start with a pre-filtered (or otherwise pre-processed) source code, we indeed the provenance. In addition to being bad for security, this makes it harder to interface with things like Software Heritage.