Whilst Enhance is still in the early stages, there are some features from cPanel that just make sense.
One that we use is enforcement of a domain pointing to our nameservers before being created. This then means that those customers adding domains to test like "gmail.com" don't cause issues.
Currently any domain can be added which if a user is on the same mail server as one of those and say, it was gmail.com - sending email to that domain would then fail and potentially be intercepted by the malicuous user.
It would be nice to have a security mechanism in to Enhance for this generally. I would propose as follows:
For domains pointing to the solution entirely, an NS check done at root. This could be after the domain is added with a prompt to do so before the zone is created and all other services are setup.
For domains pointing to trusted nameservers (i.e ones that we control but not part of the Enhance setup - would need somewhere to add these) can be trusted and considered the same as above (i.e provision and believe local).
For domains that only want to point an A or MX record, some sort of TXT validation much like Gmail and Outlook do when you add a domain to their service.
Obviously, admins could create and override this but end users have to comply.
Reporting could then easily show domains which no longer point to the solution and potentially soft removed from mail configs and zone serving etc.