The difference between a "package being installed by a package manager" and "an application being installed by an installer" can be as small as you want. Linux packages have "installers and uninstallers" in the sense that inside a .deb file for example there are scripts doing necessary tasks for installing and uninstalling. And whether they make a mess is only dependent on these scripts behaving in a way that doesn't make a mess.
So having a package format or package repository doesn't necessarily prevent packages from doing arbitrary or stupid things (there is no difference between a .deb file or an .msi file in that regard). The app store ore repository might add a level of human vetting, but technically there is no difference.
I would argue that it's better to have most of the vetting be technical: ensure that the package/installer format doesn't allow making a mess. Sandbox everything, prevent writes in the wrong places etc. More modern formats like flakpak/msix/etc are of course better in this regard.
And the key thing about them is that they prevent a mess on the technical level so that the human vetting (and thus repository) isn't really required.
So having a package format or package repository doesn't necessarily prevent packages from doing arbitrary or stupid things (there is no difference between a .deb file or an .msi file in that regard). The app store ore repository might add a level of human vetting, but technically there is no difference.
I would argue that it's better to have most of the vetting be technical: ensure that the package/installer format doesn't allow making a mess. Sandbox everything, prevent writes in the wrong places etc. More modern formats like flakpak/msix/etc are of course better in this regard.
And the key thing about them is that they prevent a mess on the technical level so that the human vetting (and thus repository) isn't really required.