If you e.g. install a CLI tool via cargo, there is at least an implicit tree of trust, with each dependant in a dependency tree doing at least some minimal vetting of dependencies.

But still weaker than Debian packages, for example, while on the other hand the number of dependencies now often goes into the hundreds.