You are right that the inference ecosystem (llama.cpp, vLLM) has moved aggressively to GGUF and Safetensors. If you are just consuming optimized models, you are safer. However, I see two reasons why the risk persists: 1) The Supply Chain Tail: The training ecosystem is still heavily PyTorch native. Researchers publishing code, LoRA adapters, and intermediate checkpoints are often still .pt. 2) Safetensors Metadata: Even if the binary is safe, the JSON header in a .safetensors file often carries the License field. AIsbom scans that too. Detecting a "Non-Commercial" (CC-BY-NC) license in a production artifact is a different kind of "bomb" - a legal one - but just as dangerous for a startup.

People will take the risk with uncensored models tuned for specific things. I'm glad we're talking about this now rather than 10 years later like with npm. The amount of ad-hoc AI tools on github is staggering, and people are just downloading these things like it's no big deal.