It's unstated, but I'm willing to assume that only the root package.json is consulted to decide if these scripts are allowed. Otherwise, yes, this would not actually change anything.

Thanks for the sanity check!

Had a quick read on my mobile, and that was my first impression.

Guess its more of a way to make the maintainers accountable instead of making npm reputation the main focus.