This is one of the best heuristics (because it’s such an short+easy to memorize). I learned it from my mother who is kinda low tech, but understood risk.

But ultimately, it’s a heuristic and is imperfect.

One example thing which bypasses weakness to this heuristic: when you import a programming language library or a “curl pipe bash”: how much research do you do to verify the authenticity of the library, the security of the package and contributors, that you didn’t typo and accidentally install a lookalike malware, etc? And then every time you take an action which updates the same thing, are you equally as rigorous and vigilant as the first time?