It's possible that we could adopt some policy like "if the root.crt file exists then default to verify" ... but that seems messy and unreliable, so I'm not sure it would really add any security.
That is what we do. If root.crt exists, we default to verify-ca.
And yes, it is messy and unreliable. I don't know if it adds any security or not.
Or do you mean we could default to verify-full instead of verify-ca?