Pinky promise? How do you prove that what I download from you is actually what you promise you've build (and that SBOM is right)? Is this certified with some digital signature?

From my threat attack model, you're just yet another liability - one single service to hack all your "safe" images.

Sure, but you could make the same argument for literally any software that you're getting that was built by someone else and have not personally inspected each line of source in. For example, you could make the same argument about RHEL or any image on Docker Hub or literally anything you're not building yourself.

Respect your viewpoint and if these images aren't for you, that's totally fine of course. Many others find it useful to have someone else doing the commoditized but hard work of building thousands of components from source continuously, assembling them into ready to run images, signing, and being as open as possible about their state and configuration as possible.