Great list! Giving time for discussion and will review later.
It’s a good point. We do need to rely on on the SecureDrop directory. It’s a useful pointer but not necessarily trusted (as in IT trusted - sometimes you trust because you have to, not because you want to). For example it “gives us a little friendly hint” that ABC news runs a SecureDrop onion". The existence of the ABC news SecureDrop onion however can be verified independently from the SecureDrop directory directly on the ABC news page. https://www.abc.net.au/news/securedrop/ - would have been better to archive that link.
That link is also from the SecureDrop directory but checking that the top level domain
abc.net.au is authentic and the real ABC news is again sufficient for verification. Plus on top if we wanted to have a comprehensive review manual, pointing out the obvious, one would have to review that ABC news is a real thing.