Zypper at least has a notion of "vendor", so you can arrange things so that only the handful of packages you care about will actually come from Packman.

Ubuntu actually has first-party repositories with proprietary codecs.

Nixpkgs is a pretty comprehensive monorepo of packages with a more normal review process than the AUR, and it includes non-free software as well, plus the model with flakes for third-party stuff is that you trust individual publishers for their little repos rather than one giant grab bag repo of unreviewed content like the AUR.

RPMFusion for Fedora kinda has a similar profile, in that it's a shared repo for various things unsuitable for the main one, but it follows more or less normal Fedora packaging and review standards, doesn't it?

Supply chain attacks are possible everywhere and some distros have particular weaknesses, but the AUR really is pretty much uniquely bad here.

I use Gentoo. You have to specifically install "overlays" and every package maintainer would make their own overlay. You can't easily take over an overlay without the original person's permission.

That being said, still one namespace. Once you add an overlay it can replace any package it wants.

It's also Gentoo so too hard for most people to figure out.

Yes, the only reason this isn't happening in other distros is simply popularity.

Namespacing is the solution, and as mentioned in the article some ditros do indeed have namespaced user repos, like Fedora's Copr. The trust model of a flat namespace user repo is completely broken when the maintaining user can change at any moment.

Packman is more akin to rpmfusion, than AUR. OBS is the AUR equivalent for OpenSUSE.