You’re right to an extent, but there is nuance. No end user goes through the Debian repositories and checking the source code for each package by hand. You would be well within your rights to be annoyed if a rm -rf / got added into a script in the repos somehow. A level of trust somewhere is unavoidable for things to work smoothly.
Of course the difference in level of responsibility between core repos and random code pulled of github is vast.