"I" I doubt would be allowed in the threat model unless you're someone notable like a patio11 or similar. Otherwise you're just as potentially compromised as the original threat
I would think you’d also at least have to be patio11, Inc., with business liability insurance and documented processes. No individual is going to be trusted by any company that would care about this threat model.
> No individual is going to be trusted by any company that would care about this threat model.
Many (most?) companies do not care about threat models. Rather, for them, security is an exercise in box-ticking so that they can sell to other companies who, in turn, also don't care about threat models, but who do have stakeholders who want to be told that everything is fine.
There is also the question of what does it mean for a company to care about something or for a company to trust something, really it's decision makers at those companies acting together, and as the number of those people rises, it's easier for them to justify not caring about security if indeed they once did, because of the diffusion of responsibility.
Finally there are the companies that have at least one person who actually cares about security and/or the well-being of their users/customers, who is in a sufficiently powerful position that the company effectively "cares about security". These are the complement of the "many (most?) companies" in the first sentence.
Can be offered by anybody. “Hey I can offer full SSCS-2 compliance on these open source projects. Only $10K per month!”