> As a minor suggestion:
> > Additionally, add an $allowed_classes parameter to both getMetadata() implementations, defaulting to the current behavior of allowing any classes (true). This will be passed to the call to unserialize() performed internally.
> Rather than adding an $allowed_classes parameter, I'd add a general $unserialize_options parameter that just gets passed through to unserialize. E.g.. we also have a "max_depth" option, which also seems potentially useful. This will ensure that any new limitations we implement for unserialize() will also be available in this context.
That sounds like a better idea than what I originally had - I'd forgotten about the max_depth option getting added in php 8.0.