Pause functions are actually considered a matter of best practice. It's a way of mitigating the contract's risk. Now, who gets control of the pause function is an entirely separate discussion worth having. The controlling address could be a contract implementing a multisig scheme, allowing for the decision to be made by more than just a single individual.
https://consensys.github.io/smart-contract-best-practices/ge...