It's not supposed to have any information or allow compromising security testers - it's never supposed to be used as someone's personal machine, it is intended to be used as a read-only live image or a disposable VM; you spin it up, launch a tool, note the results and wipe the machine, going back to a known state.

As you say, supply chain attacks are very much possible especially because you're intentionally running various third party exploits and malware which you are not going to be able to vet - so you don't expect it to be secure, you don't even bother trying to secure it or trying to verify if it's been broken - you always treat it as something toxic that should be isolated and have limited, transient access to any data.

Gotta say I've seen many many long lived Kali VMs or laptops over the years. Whilst ideally ephemeral OS images would be great, not just for Kali, but for testing environments in general, that doesn't always meet reality.

This (pentest tooling) is one of the areas that seems a good fit with containerization (podman, Docker, lxc etc), as their use case fits nicely (single use ephemeral images with some isolation)