What do you think about enabling libwrap in all packages by default?
It gives an additional (and easy-to-control) layer of security, right before anything hits MariaDB internal access verification. FWs sometimes are ugly and not working under high load, plus not everybody uses clouds to keep things secured.
I would recompile it myself, as I am usually doing with all RPMs in my systems (I work with CentOS), however, cmake/bazaar is a real headache to work with/support (IMHO), tried few times and find myself investing too much time into it though I could compile MariaDB with it in the end.
Your page about "considering source rpm" is too old and no news. Maybe it can be done out of box?
I am used to compile almost everything from source rpms and adjust everything I need on the fly, so don't mind to have source rpm as well. But if everything remains as is - well,no choice then and need to either reconsider security again or get back to bazaar/cmake journey...