That would work somewhat—VID/PID can't be trusted but device class can be. But the problem is that on e.g. my MacBook with a single USB C port, sometimes I want to use a keyboard (either an actual keyboard or a YubiKey) and sometimes I don't (if I'm charging). If I plug in a hub I want to trust my hub but not someone else's device claiming to be a hub. And so forth.
Having a charging-only-by-default port would be a 90% solution, but would be very annoying for people who need to reauthorize a device every time they plug it in, which is why I think pairing is better. And I'm not sure what devices you can reasonably trust other than pure power. HID is definitely out for fear of Rubber Ducky-style attacks. External video adapters can read your screen. Headphones can listen in on calls. Thumbdrives / PTP devices might be safe if handled carefully but are kind of the classic worry, so I'm not sure if people will want those. Maybe pure U2F devices, webcams, and audio input devices? Not sure how useful or user-friendly such a restriction would be.
I guess what I'm picturing is the first time you plug in your keyboard/Yubikey/whatever, your system prompts you "A new device 'AcmeCo USB Keyboard' (VID=xxxx/PID=xxxx) wants to provide service(s): Keyboard Input. Allow? Once/Always/No/Never." After that, your system saves that combination, and assuming you authorized it permanently, whenever you plug in that VID/PID, it has access to be a keyboard.
If it tries to present another HID later, that would result in a new prompt, the same as a brand new device. If it changes HID while plugged in, that could even be a more severe message along the lines of "Hey, this keyboard just tried to become a video adapter and thumb drive, that's really suspicious and you should probably destroy it with fire".
Likewise, VID/PID changing without being unplugged/replugged in, changing too quickly, or even just after too many new VID/PIDs in a short time period should result in a temporary lockdown -- in the same way fail2ban blocks repeated login attempts from a given IP.
Having a charging-only-by-default port would be a 90% solution, but would be very annoying for people who need to reauthorize a device every time they plug it in, which is why I think pairing is better. And I'm not sure what devices you can reasonably trust other than pure power. HID is definitely out for fear of Rubber Ducky-style attacks. External video adapters can read your screen. Headphones can listen in on calls. Thumbdrives / PTP devices might be safe if handled carefully but are kind of the classic worry, so I'm not sure if people will want those. Maybe pure U2F devices, webcams, and audio input devices? Not sure how useful or user-friendly such a restriction would be.