The decision is clear to accept only SWHIDs that are already in the archive.
In the metadata-only deposit a swhid is required.
The existence of the swhid in the archive, on the other hand, is only recommended (with SHOULD in the specs).
With the option to potentially give metadata on an object that isn't in the archive, we open the door to new possibilities but also to human errors.
Should we restrict the deposit to existing swhids, or should we trust the deposit clients that they used the exact swhid they intended to use?