a zillion comments here and it's not mentioned yet:

packages are installed as root/admin with elevated privilege

packages are run as ordinarly lusers

this is why curl|bash is a more dangerous thing to do.

traditionally, the people with the root password were experienced and trained for this type of analysis, but with personal machines this line of defense does not exist

yes, there are scripts also built into package installers. now you can understand why there shouldn't be, or at least the post-install script can be inspected (this is a major benefit of scripts)

all the noise you want to make about how different distros make the problem harder is part of the problem if your solution is to capitulate to practices which are unsafe-by-design