Going to link this Bazzite post I shared previously:
If anything, supply chain attacks are something all of the maintainers should be mindful of to watch out for and find ways to prevent that. As for the end-user, install software that you find trustworthy just like on any other operating system. Opt for software that is open source over proprietary when you can.
Edit: Some of the links in that post need to be updated for the Fedora 41 base and are also specifically for Bazzite… However, since most of the packages are maintained by Fedora maintainers, I feel there is some structure involved at the top, and where we have to worry is the custom packages on top of the images (i.e. the base images and Bluefin-specific packages that get pulled in).