I wouldn't assume anything about distro packages really. It's a higher bar in some systems (like Debian), lower in some (like nixpkgs), but the time investment to be in a position to sabotage something is quite low overall and requires little skill. Then there are not-distro packages that they easily abused over time. For example sourceforge was a respected distributor of software for a long time and they moved to adware installers.
I stick to official distro packages from distros I like, mainly Debian and OpenSUSE. Community packages are too sketchy for me, and I consider downloading packages from sourceforge/etc to be a Windowism. And while it's possible for a malicious entity to infiltrate the ranks of distro packagers, I think the threat of the developer selling out has proven to be more likely.
