Almost every developer outside the defense and aerospace sector is just stuffing code from internet randos into their binaries, JARs, and wheels. Just after they run this code on their developer machine that they keep their SSH keys on. It's a wonder/mystery/miracle we're not all hacked all day every day. The Rust and JS worlds are especially bad because somehow people got it into their heads that more dependencies are better. Why write 5 lines of your own code when you can use a dependency? (This is a real example of a discussion I've had at work)
Ah, I see. True. In my case I am looking forward to setting up a Linux workstation where I will severely limit random access to my system (and $HOME) via various means i.e. Flatpak and others. $HOME/.ssh is definitely first on the list.
But I agree that the out-of-the-box settings really make you wonder how we are not indeed hacked all day every day.