because nobody is there to stop them, which distro maintainers are going to strip out in distro packages because it’s harmful to users.
I doubt thats really the case? Most distro maintainers mostly want to make sure a package works with their provides libs etc. If a package is malicious, it just will not become a distro package. At the same times this esoteric part about what distro maintainers actually do is so nebulous and at the same time “overrated” (debian).