> Linux's security model is based on trusting the software you're installing from the FLOSS repositories,
That's not a security model, and we don't live in fairyland.
Just take a look how well this works with npm packages. It just so happens that emacs plugins are not the most worthwhile target for attackers.
> npm packages
This has nothing to do with what I said. npm is not a trusted or a FLOSS repository.
> we don't live in fairyland
When did you see a malware in Debian's repositories last time?