You have been and continue to trust Automattic for the core code.
If for example, Automattic instead had said they will bundle the plugin functionality with the core, there are many historical cases of that, unpleasant as it is for the third party usually... results are identical, right?
This plugin can only operate on top of the core code, whoever distributes the plugin to you. It means you have to decide to either bin the whole ecosystem, or use the core and plugin from the same people.
It's also open to the plugin people to distribute the core themselves, but since they don't have a history of working on it, why would you imagine for core maintenance, you can trust a smaller private equity-funded group that historically leeches on the core project, more than the originating project for the core?
If for example, Automattic instead had said they will bundle the plugin functionality with the core, there are many historical cases of that, unpleasant as it is for the third party usually... results are identical, right?