We build all these images directly from upstream source across thousands of projects and assemble them into standard OCI images for you. We do this continuously, every time there are new versions released upstream.
The point is that you can just use these images instead of what you already have and reduce your vulnerabilities by 97%+ on average.
Think Docker Hub, just without the vulnerabilities.
Pinky promise? How do you prove that what I download from you is actually what you promise you've build (and that SBOM is right)? Is this certified with some digital signature?
From my threat attack model, you're just yet another liability - one single service to hack all your "safe" images.
Sure, but you could make the same argument for literally any software that you're getting that was built by someone else and have not personally inspected each line of source in. For example, you could make the same argument about RHEL or any image on Docker Hub or literally anything you're not building yourself.
Respect your viewpoint and if these images aren't for you, that's totally fine of course. Many others find it useful to have someone else doing the commoditized but hard work of building thousands of components from source continuously, assembling them into ready to run images, signing, and being as open as possible about their state and configuration as possible.