> a lot of companies that need their own package repositories

Every company needs its own package repository. You need to be able to control what is running on your environment. Supply-chain risk is very, very real and affects anybody selling software for a living.

This is besides the point that in the real world, not every risk is addressed, at least in part because available resources are diverted to address larger risks.