Not sure about apt, but this is solvable. Arch's pacman supports https and package signing and only packages signed by trusted maintainers will get installed. That means it should be fairly difficult to swap legit packages for malicious ones and them getting installed.
Not impossible, nothing ever is, but fairly difficult.
Not impossible, nothing ever is, but fairly difficult.