> I’ve not had time to compile everything from source,

Then use the official binary packages?

> and compiling from source is a false sense of security, since you still don’t know what’s been compromised (it could be the compiler, etc.), and few have the time or expertise to adequately review all of the code.

That would still leave you in a strictly better position, surely? Any other distro would pull the same code and build with compilers, so that attack surface exists regardless.