> why does it help?

Because install scripts are being actively exploited, so blocking them will reduce your exposure. Install scripts will also run anywhere that runs npm ci, npm install, etc., including build pipelines.

> Can't they just jam the malware into the package itself

Yes. Disabling install scripts won't safeguard you from all attack vectors.