This is a hard problem to solve for everyone. In some organizations you can already trust on the host being present in /etc/ssh/ssh_known_hosts (puppet-ssh could easily do this with exported resources). Disabling host key checking then lowers the security for no usability benefit.
As you say, managing ~foreman-proxy/.ssh/known_hosts is also tricky and might not be workable.
Given it’s a warning, there’s a huge chance admins won’t read it. I know plenty of people who are as lazy as I am and just see my install package x playbook worked so I’m happy. When using password-based authentication it’s also already too late if you really were MITM’ed.
There’s no silver bullet. I think we should default to a secure installation even if that’s less convenient. What you could do is provide an easy way to add known hosts and document it.