Correct. Pretty limited as a protection when the first thing you do after installing a package is running it.

Literally the only thing blocking scripts protects you from is if a package is bundled by webpack and not run by node. If the compromise happens in nx, it's just run after up type nx[enter] in your command line.