Agreed! HMAC validation using the Client Secret as key derivation material is the defacto standard for this.

Only caveat I would put, this needs to be opt-in, not like in the picture.

Requiring that the receiver verify the payload at the point of catching the webhook would harm integrators' ability to use off-the-shelf platforms.

Making it opt-in would also allow for store-and-forward architectures that defer evaluation of the signature (e.g/: enqueuing incoming messages and applying throtthling to smooth out peaks in resource utilization)

Yes, right now there is no way to verify if the webhook is actually coming from GHL, HMAC validation will be a great way to achieve this