On the flipside, it's more plausible for an actor to get malicious code into a project in order to infect a target. Sure it has to be obscure enough to pass any code reviews during PR and/or involves compromising a contributor but it is possible and something I see happening in the next 10 years.

I'm also genuinely curious how many people actively review all the code they actually run. I doubt anybody but the very largest tech companies and high-end government would actually be able to afford and resources such a feat, and even then they would have DMZ-type areas to detonate unaudited software.