It’s not like Hex has some magical way of only downloading non-malicious packages.

If Hex gets popular enough, it will happen there, too. Even if the install process doesn’t run arbitrary code, when you actually load the library, it can do stuff, so I don’t see any reason to gloat.