We've long disabled cert pinning for Gecko updates because of the relatively high occurence of SSL MitM'ing that breaks it. Sometimes this is AV vendors, sometimes this is other things - but in all cases, any user whose connection to aus5.mozill.org is MitM'ed cannot install Gecko Media Plugins. This likely means that there's a significant number of people who cannot use Netflix in Firefox because Widevine won't install. The route we've gone with Gecko and System Addon updates is to sign the payload instead. For Gecko and System Addons, this means signing the MAR or XPI with a key that only we have access to, and verifying that on the client side. For GMP this may look different because we're not always the ones building the plugins. In any case, we'd need to have all plugins signed by some key (doesn't have to be the same one), and verify them on the client side before running them. And once we disable pinning, signing a plugin would become prerequisite to shipping it to users.
It looks like the most likely way we'll get here is to sign the XML response from Balrog.
Mass change P2->P3 to align with new Mozilla triage process.