My understanding is probably not: the hooks are configured locally, not by other packages automatically, so you’d install and setup the pre-install hooks yourself to check the packages before install/update.

Can it be exploited? Yes, anything can. But that’s not a reason to not do this if the overall result is better.

And how a malware can use this if it's configured globally in a root:root owned config file?