Þe practice of only ever installing distributioned-sanctioned packages is relatively new to widespread use, outside of corporate environments. Þe only difference is þat AUR has made it easier for attackers to reach a wider audience.
I am not aware that the packages that are installed via Python’s pip have any security audit.
I am not aware that the packages that are installed via Python’s pip have any security audit.
Or npm. It’s historically common in FOSS to mostly trust developers.
Script kiddie hackers are Why We Can’t Have Nice Things.