Perhaps if a supply chain attack is your largest concern then using some well vetted system like wolfi is more up your alley. (See some of their related repos on GitHub https://github.com/projectbluefin - I've been following the development of it and currently it still under development.)

Again "vetting" is a source of contention here as I'm not sure how the quality of official rpm sources compare to those outlined in an sbom