Indeed. I mention this in light of the high-profile supply-chain attacks recently across diverse platforms (Arch AUR, Shai-Hulud, etc). Any online tool that purports to modify an entire install medium should be heavily and continually scrutinised. I'm not saying the developer can't be trusted, but the infrastructure and people in general can't.