Personally, I think all whitelists should be disabled by default (I
disabled all whitelists as of some years ago, and occasionally check
to see no new ones has cropped up).
That way is someone wants to allow others to decide who they can trust
(always a bad idea IMHO, trust to each networks must be earned, not
given based on third party advice, and most definitely never ever
bought), so they must explicitly allow it.
While not specific to whitelists, I believe this idea is covered in:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6729
regards,
KAM