Just like ADDON_ACTION_BLOCKED and ADDON_ACTION_FORBIDDEN what would be IMMENSELY helpful would be an ADDON_ACTION_TAINTED event whenever some secure entity becomes tainted for the first time.
arg1: Name of the newly tainted variable
arg2: Addon the caused the tainted.
We can use debugstack() to get more accurate info after that.
I honestly think that it would require quite a bit of overhead if it were implemented, but sure I do agree that it would be helpful if it were. We do kinda get part of this back when we get issecurevariable() telling us the name of the addon causing the taint, though we still don't know (a) when it happened, or (b) the callstack at the taint.