If you are downloading the program at all, that means you are trusting its programmer. Downloading it from a repo is adding another party to trust vs downloading it directly from the programmer.
If I apt install kdenlive and then run kdenlive, the program has never ran as root and cannot make itself run a service in the background, or log keystrokes, or install other things.
If I download a package or an installer from the Internet the publisher runs a program as admin on my computer and can do whatever it wants, bundle adware, start hidden services, whatever.
My distribution is not 'another party to trust'. It's the party I already trust the most. If I or someone else find something harmful in a program that's on the repo, I expect the distro to remove the program or patch out the harmful parts, while I don't expect the first-party installer to become better in any way.
If you are downloading the program at all, that means you are trusting its programmer. Downloading it from a repo is adding another party to trust vs downloading it directly from the programmer.
If I
apt install kdenliveand then run kdenlive, the program has never ran as root and cannot make itself run a service in the background, or log keystrokes, or install other things.If I download a package or an installer from the Internet the publisher runs a program as admin on my computer and can do whatever it wants, bundle adware, start hidden services, whatever.
My distribution is not 'another party to trust'. It's the party I already trust the most. If I or someone else find something harmful in a program that's on the repo, I expect the distro to remove the program or patch out the harmful parts, while I don't expect the first-party installer to become better in any way.