Some of these requirements should be implemented as further ERC-5792 capabilities and standardized in a follow-up ERC, and if that’s not possible we should look at improving ERC-5792 itself. Others may be more appropriately addressed with a different smart contract design for these protocols.
Can you share an example of such callbacks?
Authorizing a bad contract to act on your behalf is very different from calling a bad contract. But a bad dapp could request a batch of calls that steals all of the wallet’s assets. I think the difference comes down to how easy it is for a wallet to detect and report a risky signature. If you want to detect whether a code delegation is risky you need static analysis to understand all possible behaviors of that code. If you want to detect whether a batch of calls is risky you “just” have to simulate the batch execution.