Here are considerations we could put into the security considerations section - or think about a mechanism solving the problem:

Authenticity of Provided Type Metadata

If the Type Metadata is retrieved from an HTTPS URL, it can be assumed that the retrieved information is authentic from the party in control of the URL. However, if the Type Metadata is provided via glue documents by the issuer, no such guarantees are provided and the issuer may accidentally or deliberately deliver outdated/wrong/manipulated Type Metadata. Note that vct#integrity claim protects the integrity of the type information, but does not guarantee that the information is authentic. The Issuer may deliver a vct#integrity claim that matches the metadata in the glue documents.

I was wondering about this part as well when reading the PR. My gut feeling would be that It might make sense to provide some mechanism with signed metadata as an option (for the cases where cannot make meaningful assumptions about the transport/provider of the metadata).

The (largely unwritten?) threat model behind all this credential and token stuff assumes trust in the issuer. I recognize this is potentially perceived different because the provider of type metadata is likely/sometimes not the same entity as the issuer. But the issuer still needs to be trusted and if not, aren't there bigger concerns than the integrity of Type Metadata?