doas can be used with a doas.conf that is mode 600 or 400.

A user can do what they are permitted to do, but they can't read
doas.conf to see what is permitted.

Your proposal is a pretty big change.

So I don't think this is the right way to go.