>Mainstream desktop operating systems have weak security models that aren't fit for purpose in our modern online-first world
Stop using propietary software first, then we will discuss your "security" rants.
Perl users have been using CPAN since forever, so did LaTeX users with CTAN.
Ditto with Emacs users with ELPA and NonGNU. No issues with addons.
This has little to do with being open or proprietary. CPAN is analogous to repositories we use with pip or npm today and most of what is involved is not proprietary on any of those platforms. The relevant differences are cultural and technical.
I don't think invoking CTAN as an example is very convincing. It's well known that there are only seven people in the universe who can actually program TeX and they probably have little interest in trying to infect each other with malware.
Stop using propietary software first, then we will discuss your "security" rants. Perl users have been using CPAN since forever, so did LaTeX users with CTAN. Ditto with Emacs users with ELPA and NonGNU. No issues with addons.