I think more proper solution is to limit writes of untrusted actions - they shouldn't be allowed to update cache. Only read - for perf reasons.