diff --git a/.changeset/cyan-moons-drive.md b/.changeset/cyan-moons-drive.md
new file mode 100644
index 0000000000..8cc962f404
--- /dev/null
+++ b/.changeset/cyan-moons-drive.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/config": major
+"pnpm": major
+---
+
+`strictDepBuilds` is `true` by default.
diff --git a/.changeset/evil-boats-do.md b/.changeset/evil-boats-do.md
new file mode 100644
index 0000000000..6abb48fd3d
--- /dev/null
+++ b/.changeset/evil-boats-do.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/config": major
+"pnpm": major
+---
+
+`blockExoticSubdeps` is `true` by default.
diff --git a/config/config/src/index.ts b/config/config/src/index.ts
index 16f0533b24..0f3c521dbd 100644
--- a/config/config/src/index.ts
+++ b/config/config/src/index.ts
@@ -203,14 +203,14 @@ export async function getConfig (opts: {
     'public-hoist-pattern': [],
     'recursive-install': true,
     registry: npmDefaults.registry,
-    'block-exotic-subdeps': false,
+    'block-exotic-subdeps': true,
     'resolution-mode': 'highest',
     'resolve-peers-from-workspace-root': true,
     'save-peer': false,
     'save-catalog-name': undefined,
     'save-workspace-protocol': 'rolling',
     'scripts-prepend-node-path': false,
-    'strict-dep-builds': false,
+    'strict-dep-builds': true,
     'side-effects-cache': true,
     symlink: true,
     'shared-workspace-lockfile': true,
diff --git a/exec/build-commands/test/approveBuilds.test.ts b/exec/build-commands/test/approveBuilds.test.ts
index 3616c793c2..48e294f81d 100644
--- a/exec/build-commands/test/approveBuilds.test.ts
+++ b/exec/build-commands/test/approveBuilds.test.ts
@@ -39,6 +39,7 @@ async function approveSomeBuilds (opts?: _ApproveBuildsOptions) {
     cacheDir: path.resolve('cache'),
     pnpmfile: [], // this is only needed because the pnpmfile returned by getConfig is string | string[]
     enableGlobalVirtualStore: false,
+    strictDepBuilds: false,
   }
   await install.handler({ ...config, argv: { original: [] } })
 
@@ -70,6 +71,7 @@ async function approveNoBuilds (opts?: _ApproveBuildsOptions) {
     storeDir: path.resolve('store'),
     cacheDir: path.resolve('cache'),
     pnpmfile: [], // this is only needed because the pnpmfile returned by getConfig is string | string[]
+    strictDepBuilds: false,
   }
   await install.handler({ ...config, argv: { original: [] } })
 
diff --git a/pnpm/test/configurationalDependencies.test.ts b/pnpm/test/configurationalDependencies.test.ts
index 2ccf7319a4..9af193da44 100644
--- a/pnpm/test/configurationalDependencies.test.ts
+++ b/pnpm/test/configurationalDependencies.test.ts
@@ -46,6 +46,7 @@ test('selectively allow scripts in some dependencies by onlyBuiltDependenciesFil
       '@pnpm.e2e/build-allow-list': `1.0.0+${getIntegrity('@pnpm.e2e/build-allow-list', '1.0.0')}`,
     },
     onlyBuiltDependenciesFile: 'node_modules/.pnpm-config/@pnpm.e2e/build-allow-list/list.json',
+    strictDepBuilds: false,
   })
 
   await execPnpm(['add', '@pnpm.e2e/pre-and-postinstall-scripts-example@1.0.0', '@pnpm.e2e/install-script-example'])
diff --git a/pnpm/test/install/misc.ts b/pnpm/test/install/misc.ts
index e5c12c41cc..0027667896 100644
--- a/pnpm/test/install/misc.ts
+++ b/pnpm/test/install/misc.ts
@@ -193,6 +193,7 @@ test('not top-level packages should find the plugins they use', async () => {
       test: 'standard',
     },
   })
+  fs.writeFileSync('pnpm-workspace.yaml', 'allowBuilds: { "es5-ext": false }', 'utf8')
 
   await execPnpm(['install', 'standard@8.6.0'])
 
diff --git a/pnpm/test/install/nodeRuntime.ts b/pnpm/test/install/nodeRuntime.ts
index 8ca6d59d2b..881900b29a 100644
--- a/pnpm/test/install/nodeRuntime.ts
+++ b/pnpm/test/install/nodeRuntime.ts
@@ -4,6 +4,7 @@ import { execPnpm } from '../utils/index.js'
 
 test('installing a CLI tool that requires a specific version of Node.js to be installed alongside it', async () => {
   prepare()
+  fs.writeFileSync('pnpm-workspace.yaml', 'allowBuilds: { "@pnpm.e2e/cli-with-node-engine@1.0.0": true }', 'utf8')
 
   await execPnpm(['add', '@pnpm.e2e/cli-with-node-engine@1.0.0'])
   await execPnpm(['exec', 'cli-with-node-engine'])
diff --git a/pnpm/test/server.ts b/pnpm/test/server.ts
index 0d4985080a..a3034ccd35 100644
--- a/pnpm/test/server.ts
+++ b/pnpm/test/server.ts
@@ -152,6 +152,7 @@ test('stopping server fails when the server disallows stopping via remote call',
 skipOnWindows('uploading cache can be disabled without breaking install', async () => {
   await using setup = prepareServerTest(['--ignore-upload-requests'])
   const { project } = setup
+  fs.writeFileSync('pnpm-workspace.yaml', 'allowBuilds: { "es5-ext": false, "diskusage": true }', 'utf8')
 
   // TODO: remove the delay and run install by connecting it to the store server
   // Can be done once this gets implemented: https://github.com/pnpm/pnpm/issues/1018
diff --git a/store/plugin-commands-store/test/storeStatus.ts b/store/plugin-commands-store/test/storeStatus.ts
index 0509be2340..0bfe381c8f 100644
--- a/store/plugin-commands-store/test/storeStatus.ts
+++ b/store/plugin-commands-store/test/storeStatus.ts
@@ -1,3 +1,4 @@
+import fs from 'fs'
 import path from 'path'
 import { type PnpmError } from '@pnpm/error'
 import { store } from '@pnpm/plugin-commands-store'
@@ -53,6 +54,7 @@ test('CLI fails when store status finds modified packages', async () => {
 
 test('CLI does not fail when store status does not find modified packages', async () => {
   const project = prepare()
+  fs.writeFileSync('pnpm-workspace.yaml', 'allowBuilds: { "es5-ext": false, "fsevents": true }', 'utf8')
   const tmp = temporaryDirectory()
   const cacheDir = path.join(tmp, 'cache')
   const storeDir = path.join(tmp, 'store')