Leave auto-updates a very strong default and have the user specifically disable auto-updates on a per-snap basis if they so desire. The average user will keep it enabled anyway, I believe. However, edge-cases where a manual update process is required are covered by this.
For example an admin needing to greenlight a critical application first before it gets used on workstations or a crucial piece of infrastructure that may not have any unpredictable downtime. Easy pinning of specific versions would also be a use-case.
For the average case, @galgalesh’s proposals + the work on refresh app awareness ([WIP] Refresh App Awareness) will solve nearly all perceived problems on the desktop and thus I believe such a setting could be implemented without it becoming the go-to hack for frustrated users.