I think only big arrays coming from external sources should be checked.I tend to agree here.
We discussed it with Remote last week. I was trying to explain why having a
crafted hash function for inputs may be better and safer. That includes
get/post/env/serialize/json and the likes.
The performance impact for these is most likely minimal for only them while
ensuring a better protection from a long term point of view.
I may be wrong and did not think much more than brainstorming about it. So
take it with a bit of salt :)