Failure as early as possible and with as little I/O performed as possible would definitely be my preference, but even writing and then bailing with deletion would be acceptable for us, I expect.
I agree that just how widely such a feature would be used is hard to say. If nobody has requested it yet in the 25 years that Subversion has been available, that probably tells us something. But I see signs that the industry is ramping up security compliance efforts, so perhaps more attention will be paid in the future to this class of problem. See e.g. CWE-400. https://cwe.mitre.org/data/definitions/400.html --sbp
