I guess the "right way" to do this is to have some sort of PKI that authenticates twoots coming from an account and makes it possible to publish an account change announcement (or whatever the right terminology is for the Mastodon API) after a takeover has happened
which introduces its own headaches, to be sure, but if it's an optional feature then I don't think those issues are any worse than allowing each instance's sysadmins to run amok?