"NPM isn't inherently different from, say, Debian repositories, except the latter have oversight and stewardship and scrutiny"

Yeah thats the entire point.