To be very honest, I've seen the reproducible and key rotation problems
to be such a concern that I don't think we'd want to have those in the
archive. I think embedded signatures do make sense if your primary way
to transport .debs is off-repos and/or you also want to track provenance,
have a small set of binaries, or are prepared to rebuild everything to
be able to re-sign (even on a stable release), otherwise for something
like Debian the current repo-signing has always felt superior in all
possible ways.
And IMA has indeed the same exact problem, where I'm also not convinced
at all about them for the Debian archive. Yet, I still think it would
be nice to have a format that might make it possible to explore that,
because perhaps for some organizations or distribution methods it does
make sense. (Because decoupling the IMA signatures from the general
filesystem metadata payload means injecting or changing them is going
to be way easier.)