Actually it does. The repo maintainer is on the user's side, so they are doing MITM on the attack vector. This makes it harder to get your malicious code in, because MITM might intercept it.

Yes now you have to trust the maintainer but that's sometimes easier.