I'm a lot less worried about this than I am about MELPA packages being targeted. But any other editor that incorporates a package manager exposes the same threat surface, and just about all of them are a lot more popular (thus more worth targeting) than Emacs.

Yes, it boils down to "be careful with untrusted code" no matter where it comes from. This is certainly not unique to emacs.