'Approved' isn't the right word.
OneGet has the notion of 'trusted' repositories. We're likely to expand this concept a bit in the future, but for now, that's what it is.
Built-in package sources from reputable sources may be marked as 'trusted' by default, but the majority of sources should be 'untrusted' until the user makes that change.
The real trick is getting package provider plugins to tell OneGet the truth if a repository is trusted or not.
I suspect that we're going to have to introduce a level of trust with the package providers too, and expose this to the user