Competent is one thing, malicious is another.

I can agree that debian maintainers are generally more incompetent, but they do actually vet dependencies for conforming to Debian ideology.

Upstream may be developing malware, they may be adding telemetry or ads. So if we just allow them to install 500 node packages that we don't know what they do... That's suspicious. That's asking for trouble.

Debian keeps a tight control on its supply chain. Its not perfect or bug free - but, it is within Debians goals.

So if you want a free distro with almost completely free sources, then Debian is really one of your only choices.