It's not a false sense of security imo. Code often runs in its own environment, for example a container. We're "used to" sandboxing/ isolating runtime code. It's the package installation process that gets less attention.