Should Administrate handle request parameters differently?

(Bringing here a comment that I left at https://github.com/thoughtbot/administrate/pull/1773#discussion_r510007829, for visibility and discussion.)

Search params are sanitized at the bottom (templates/helpers), with information about what's allowed flowing top-to-bottom

1. Dashboard/template figures out which params it allows.
2. It renders partial and tells it "please allow these params along with those you allow"

I wonder if this should be sanitized a the top (the controller), with this info flowing bottom-to-top:

1. Dashboards need to publish which params they allow
2. Controller asks for lists, then sanitises params before rendering the top template.
3. Templates don't need to know about sanitising.