As per Ned Batchelder's proposal, why not rename load to dangerous_load, and alias safe_load to load? (Or perhaps, leave load undefined, so that secure code doesn't become insecure when run on an earlier version of PyYAML)
If this is done, code can no longer be accidentally insecure through forgetfulness or lack of care. Instead, people will only have the ability to run arbitrary code if they specifically intend for that and all its consequences.
The downside is losing backwards compatibility. Maybe the move could be done in a two-step process that deprecates load first?