most packages in traditional package managers are not packaged officially, yet we use them all the time.
While there’s definitely truth in this, aren’t we already trusting the repos of traditional package manager by choosing to use the associated distro? So, by e.g. choosing to use Debian , you’ve already (somehow) accepted their packages to be ‘thrustworthy’. We already trust the developers of the apps/binaries we use. Therefore, we have two sets of parties we trust by default. I would rather not increase the amount of people I have to trust for software, but I can understand why others might differ on this.