Wouldn’t checking the advertised sha256 before allowing it to be pinned somewhat protect against a DoS attack? Sure I had to waste a bunch of bandwidth downloading a 1G file that was bogus but I’m not going to reprovide that content. Then the attacker is the only one providing the bogus content opening themselves to a bigger DDoS attack. If I download, verify and pin the content that would be like a vote that it’s legit. Sure I could setup a large number of bogus providers but I could also set up a large number of bogus providers that poison a large number of small blocks too. It seems like the only protection is that legit providers drown out bogus providers. As far as I know there isn’t any filtering of nodes that provide bad blocks.
It would be like punching yourself in the face because it made your adversary uncomfortable.