> Yeah with RPM and dpkg you're trusting the distro, or maybe individual distro maintainers, depending on how you consider it.

Not all packages come from the distro. People can and do enable external sources for software that isn't part of their OS.