Why should it only be valuable if the effects were to be publicly known?

There are plenty of places in industrial computing where reproducible builds have prevented subterfuge within the organizations themselves. Injecting binaries to do inf-/exfiltration is a long-standing industrial espionage activity which is of immense value to all users of the operating system - not just the consumer users.

Zero in Debian. They have enough other procedures to catch it.

Less diligent projects had it but there are easier ways to fix it

Several actually. Pypi is regularly targeted in this way.