As best I can tell, and I'm willing to be proven wrong, to tell Netlify which static site generator to run, the configuration must specify the command. Unless Netlify is maintaining the version/container/build of whatever command is given, it's up to the site owner to provide that. Thus, it's on the site owner to specify a build command that doesn't introduce undesirable or malicious behavior.
It's a nodejs app using a standard package.json which captures all of the dependencies (including docusaurus version, etc.). Netlify detects the package.json, loads a container with node, installs the dependencies and goes to work. You don't need to manage anything. See more details: https://docs.netlify.com/configure-builds/manage-dependencie...
I don't see anything there that says Netlify is managing or maintaining the details. The customer provides the package.json, If that file contains a reference to a library or code that introduces bugs or vulnerabilities, it's on the customer. Thus it still puts the burden of maintenance on the customer.
In a managed SaaS installation, the customer would be paying for the functionality of, say, docusaurus, but the company would provide and maintain the dependencies. It's the difference between paying for a server to run a version of mysql you specify and paying a service to run mysql and keep it in a known good configuration while the customer is able to use mysql.
