Some of these have corporate backing and/or better funding and thus more manpower to review things, but yeah it essentially applies to all of them. It's no accident that there's news about a new npm package being compromised every other week.

Ultimately, the way we're doing permissions on the OS level is fundamentally broken on desktop OSes, and we're increasingly feeling the effects of that. Ideally everything should be sandboxed by default, and only given access to it's own files, instead of everything the user has.

But we're a long way away from that, and that's not something a single project could enforce.