Reproducible builds shows that, within a specific configuration, the code produced the binary, regardless of who signed or published it.

Indeed, this could mitigate an attacker replacing the binary with something that's not produced from the code, but it does not mitigate the tool chain or code itself containing the exploit, creating a malicious binary.