I think this is not possible by design. When USB was invented it was made to replace cumbersome communication methods like parallel and serial cables, proprietary interfaces with a standardized cable and plug. It would also address programming issues by standardizing the lower layer driver model so that drivers could be programmed more easily.
Finally I would say USB exists because of it hotplug capabilities. This for sure is one of the most comfortable features of todays computers. I remember what pain in the ass it would be if you forgot to plug in the keyboard at boot time (server for example): Some of them needed a complete reboot to detect the PS/2 keyboard at all.
Nobody was thinking of security issues by that time. USB sticks were not existing, and all devices connected to USB were more or less stupid. So USB does not use standardized ways of flashing firmware or detecting "illegal" behaviour.
A USB hub is a really stupid device: It handles the hot-plug-insertion of a new device into the communication (AFAIK by shortly interrupting forcefully all others) and the removal. It can see what are the power requirements of a device and forbid a new device to become online if it draws too much power. That´s mostly all, and it´s OK like that: They can be cheap and very fast.
A USB hub will not inspect the data that´s passing through, nor will the controller. It is simply not designed to do it, and this is not written in any specification. One could argue now that restricting port use to only allow certain classes could be compatible with the specs BUT: Class devices are also complicated: Think of a combined mouse/keyboard wireless transmitter. It will show up as multi-device, exposing both a mouse and a HID component. Most of them can run with basic OS drivers, but also can be used with specific vendor software to permit enhanced features like additional function keys or high DPI rates. I love my Roccat gaming mouse for havin 3200 dpi for example. So after being registered as a class device, it somehow switches mode if the right driver is installed on the PC.
All other stuff must be handled by the OS. Allowing a driver load or not is fully in the hands of the OS core. There is software on the market to control the use of USB ports which could behave in the way you want.
IMHO you try to fix the wrong problem: If you are concerned about USB safety, you should simply turn off all USB ports or find/demand operating software that can achieve the policies you want on the OS level. Linux for example, could be restricted to use only cvertain USB drivers via a custom kernel.