Customize what packages get installed

Hi!

After fiddling around with pkgbase for a while realized that this is a very convenient way to customize what software gets installed or upgraded in a system compared to a custom make.conf.

But after asking the forums (https://forums.freebsd.org/threads/how-to-correctly-slim-down-a-base-system-using-pkgbase.100605/) I haven’t found a documented way to do this.

If I for some reason like security, storage or any other reason decide to build a slimmed down system I would like to filter what packages get installed during upgrade. (I understand that first installation is a different problem).

Is there any production ready or recommended way to do this? 

I could think of at least a few situations where this would be really nice:
  * Embedded systems where storage is limited
  * High security systems where only the needed binaries should be available
  * Single process jails

I get that for jails I could just install the packages needed, but it would be nice to have a standard way to choose the packages you need.

A side track for this question is security updates. Using 14.3 upgrading to a new patch level pkg upgraded all installed FreeBSD-base packages at the new patch level. Why couldn’t it just install the packages that changed with that patch level? I understand that the new repo has to have all packages, but maybe there should be a way to signal to pkg what packages are actually needed for that patch level.  

Thanks!

/Peter.