If you installed/updated via Homebrew-Cask [1], you should not be affected. 2.90 was not always compromised, and looking at Caskroom history, the checksum was only updated for the 2.84 -> 2.90 bump once [2].
Homebrew Cask is awesome, but I still think security is an issue here because you still have to trust the upstream binaries are safe, each built and hosted by totally different people. Verifying checksums is certainly better than not checking them, but you still haven't escaped from the trust-whatever-binary-you-downloaded-from-the-internet-style of doing things. I really wish package managers like Homebrew Cask offer some level of trust by building applications from source and signing them, like Debian.
You are absolutely correct. Homebrew-Cask favors convenience and availability of as many applications as possible, though we make reasonable efforts to avoid malicious actors by verifying checksums, download links, and (soon) GPG verification where possible.
You may be interested in https://www.macports.org for a build-from-source solution for OSS projects.