Here is another feature I’d like to get on the way, if possible:
Certified queries
Our update calls are nicely certified by the system. The canister doesn’t have to do anything, and all these calls are signed by the subnet. This is not the case for query calls, which are pretty much insecure by default. Yes, in some cases canisters can use certified variables to fix that, but it’s not always possible, and even if it is, it is fairly non-trivial. So as @senior.joinu rightfully asks: “why don’t we make this safe by default”.
A very vague design was discussed internally once, in the document “Certified variables” (only internally visible, found the link in my browser history).
@diegop, do you have the authority to allow me to re-share my thoughts on the implementation publicly that I wrote into that document back then? I am not sure whether any of that might be considered a “secret” that I must not discuss publicly. But maybe it’s fine if the implementation is hashed out internally only, as long as we outsiders get the feature eventually 
It would be good to get this on the roadmap, as I think “secure queries by default” beholds the Internet Computer better than what we have right now. The current query methods could still be provided opt-in for those developers who made a deliberate choice.
Also, I think this can help with Inter-canister query calls; it might be the necessary solution for the question of “what do do with calls from query methods when in replicated state”. So it might be timely to discuss this variant too.