"I'll be holding on to my AV for a while longer. Did Google say who should be in charge of whitelisting? Was it them, by any chance?"
Whitelisting is only practical in a business setting where there's a boss to dictate terms. In this case, it's the boss who manages the whitelist.
In a home setting, no whitelist can be considered safe except one curated by the user him/herself, only most users lack the aptitude to correctly curate a whitelist. And placing it in someone else's hands essentially places your trust in a Trent who could really be Mallory.