Not quite true. Not all packages are created equal. For example anything from PyPI, npm, Ruby Gems, and Homebrew is suspect. On the other hand Debian/Ubuntu or Red Hat repo's are likely much more trustworthy since they have actual paid trusted maintainers who review the source code.
Not sure where you got that impression. In lots of cases, package maintainers are people who use the software and are volunteering their time to bundle it up with the necessary bits to put in a distro repo. The same is true of language-specific repos or homebrew.
