Thanks for this thread. It's disheartening that SLSA and dependency-driven attacks aren't clear to the general development populace, but you've done a good job of explaining the threat even assuming the best of intentions (which I sure don't) out of app developers themselves.

It's a layered set of problems, and the answer is high walls.