Correct, the above mitigation is only for malware on the dev laptops and build servers. IOW, it doesn't prevent injecting the malware on your program when compiling it.
Modern languages make offline builds far more difficult then they have to be, unfortunately. Rust, for example, buries its off-line installer on another domain. Rust also doesn't advertise or encourage bundling dependencies. Lastly, unrestricted build scripts basically give every dependency full code execution.
