a sad story about /usr/sbin/sshd and pkg triggers

hello,

there is a known issue in sshd(8) where, if you replace the sshd binary
on disk, but do not restart sshd, it will no longer accept connections
until the service is restarted.

for freebsd-update, we solve this by restarting the sshd service if the
sshd binary is updated.

for pkgbase, i wanted to do this with a trigger, but it seems like this
doesn't work because pkg only considers directories when evaluating
triggers, i.e. you can't say 'path: "/usr/sbin/sshd"' since the trigger
will never be matched.

this means that future security updates to sshd in 15.0 might lock
people out of their system when we don't restart sshd.

does anyone have a specific, actionable suggestion on how we can fix
this today for 15.0?

note, we cannot use a post-install script since pkg kills all
subprocesses of the post-install script before exiting.