Let's not forget, in the majority of cases in Debian, the packager is not the software author. It's an independent volunteer, vetted by a community of such volunteers.

This is an incredibly useful, I'd say essential, firewall. I really don't like the Windows/macOS approach of "just do everything yourself, we'll do nothing", and likewise the npm et al approach of there being a fully automated package registry which merely distributes packages to millions of people, and leaves the onus on the software author for when to publish and what to publish.

A drive-by script could trigger some CI via a developer's credentials to publish a new version. If the outcome of that is it merely sends an email to a second person, who might get around to looking at it, and will likely look at the diffs, have to write up what the changes are, and might email back... that's a hell of a lot better than push straight to prod

We still have the problem of Debian developers being free to push their own changes, and a suitably knowledgeable one could hide stuff from the various automated testing and analyses they face, but even then they face pushback from real testers, and if caught pushing malware they'd lose their prestigious volunteer position of trust instantly.