Imho it will be much easier to replace blobs with verifiably correct blobs or add the source to build them than to retroactively find the original builds from whence they came.
Searching for some of those binaries looks like it would require comparing the hash against a large set of candidates which would need to first be unpacked from releases (fedora mostly???) and hashed unless the hashes already exist somewhere.
Yes