Gifts come with some implied responsibility from the giver and a niche hobby project is different from a package manager.

Take it to the extreme. What if I write a library, put an OSS license on it, advertise it, and then bundle malware in the release.

Am I fault for including malicious code, or are the users who downloaded it entitled for expecting the code, that I asked them to use, will not harm them.

I would argue the burden is mostly on the user for smaller niche projects, but mostly on the developer for large, heavily advertised, critical infrastructure projects.

It is not entitlement to expect operating systems, package managers, browsers, etc to be following good practices.