Nonsense. Package managers need to be able to run scripts as root to do the installation. And yet, in the last 25 or 30 years there's never been a case of a malicious contributor successfully inserting a backdoor in the installation script of any package in any major distribution.
Because there is a vetting process, nothing else.
[And yes, of course, it would be possible to sandbox each package installation to access some very specific paths but so far it's really unnecessary]
Because there is a vetting process, nothing else.
[And yes, of course, it would be possible to sandbox each package installation to access some very specific paths but so far it's really unnecessary]