Verifying a contributor/org is basically what happens when an individual publisher makes a quota request, and historically that hasn’t been sufficient (at least in my experience, based on a couple of teams at $work who hit the quotas either per-file or per-project). I think getting turnaround time on requests down to under a day would be sufficient - as it stands, my $work teams can’t actually expect to delete files quicker than that anyway, as they’re slowly losing interactive login to PyPI and will have to go through another internal team for deletions.
But more fundamentally, I’m also not convinced that the damage done by a package disappearing (which can be easily mitigated by the consumer if they are concerned) is worse than the damage done by a package not being published (which cannot).