It's all relative, of course. But getting a signed package from the repo of the distro I'm using for years is something different than using a random image from hub.docker.com.
Sure, but you are still relying on trust, and you are choosing to limit yourself to things released by your chosen distro. This is the same as if you were to pick a specific docker publisher that you trust, and only use their images.
It's arguable that it's not quite the same. It all comes down to consequences.
If a distro messes up the trustworthiness of an application, they, the big and important company loses clout.
If the application developer messes up, they also lose clout - people may stop using their software.
Chances are, if you're using a third party for a third party piece of software that isn't officially dockerized by the company that developed it, nor a major distro, there's no real backlash if it doesn't work or if they get hacked, etc: "it was a third party trick, so _of course_ it wasn't trustworthy" would be the statement everyone makes.
Debian messing up, or Cisco or Oracle, etc, is a much bigger deal.
