This was discussed recently on zsh-security and also way back in 2015
in workers/36685.  It does not address the emulation mode issue
mentioned last January in workers/47857 and replies.

This accomplishes a few of the things mentioned in 36685.  For one,
it's now possible to use "autoload -r" to assure that functions are
loaded from the locations where compinit found them, which was not
supported in 2015.  Authors of plugin managers and other add-ons that
re-run compinit should take note.

For another, with the changes herein, "compinit -i" attempts to update
the fpath to remove any insecure directories (unless the -C option
loads an existing dump file).  Unfortunately this further complicates
the emulation mode issue.

Finally, this addresses a long-standing confusion about the meaning of
the "Ignore insecure X and continue?" prompt.  Prior to this patch, it
had the same effect as "compinit -u", that is, it ignored the result
of compaudit.  With the patch, it acts like "compinit -i" and ignores
(skips autoloading of) the suspect files and/or directories.  I
believe this change was discussed at least once (long ago) and
rejected because of the difference in behavior, but I can't find the
reference and it seems unlikely that anyone is frequently encountering
this prompt.