It is difficult to come up with a good workaround lacking an authentic sender ID. Each participant could generate a key pair and sign their updates so at least impersonation wouldn’t be an issue, but then anyone could still forge an unbounded number of identities and the host still couldn’t see who voted for what in the end either. Keeping the key in local storage will make multi-device impossible, while deriving the key from selfAddr kept secret would only be useful if it contained sufficient amount of entropy.
It is known that Delta Chat aims for delivering the minimal viable product first. It is reasonable to then postpone supporting cases where as many parts of the system could act in a malicious manner.
Note that exposing just these two fields would already solve the very common use case where one of the participants in a group chat, the host, is trusted by other members, none of whom need to be trusted by any other member themselves. The trusted member would be the one to send in the webxdc and to optionally validate business rules after each update. You are already placing ultimate trust in one who develops and sends in the webxdc anyway.
We could protect against a malicious participant sending different updates to different peers by confirming having received the same, unaltered update by each participant. The webxdc app could add the checksum of their whole public aggregate state (or of past updates) to the payload on their turn to achieve this. Again, this would only be possible with an authentic sender ID field.
Related:
Possibly a precondition to: