I'm not sure what your implication is exactly regarding the HA community, but that aside;
I work in an industry that puts huge emphasis on the risks of software supply chain attacks; regardless of the community, in an ideal world, and in this situation, I too would be making sure any such code was very carefully reviewed by a trusted group of peers (including myself) and using signatures et al to ensure everyone is "getting what they paid for", so to speak.
This might not be relied on to the extent people's lives depend on it, but if it's important enough to use, it's important enough to be sure.
All of that said, it's easy enough for me to say when there isn't such a terrifying list of munitions raining down on my home when I'm trying to get some rest, so a simple step such as "not updating from a known-good configuration" might be enough.