[copper_rose]

I can understand why those scenarios would be concerning. Ultimately, what matters depends on the threat model. I believe that the Nix model can be used as a base for solving issues like the one presented here, and that it can be done in generality, for a wide spectrum of software.

[AgentME]

Reproducible builds (which it seems like Nix focuses on) are useful, but they don't address the problem of whether you got the same binary or source as everyone else at all.

[copper_rose]

Nix's functional software deployment model is a useful tool for building software reproducibly, but reproducible builds are neither the primary motivation for nor the primary goal of the Nix model. For information on what problems it aims to solve, how it solves them, and how it can be applied in various useful ways (e.g., a package manager is just one particular thing you can implement using the Nix model), I suggest you read the first chapter of the thesis I linked earlier. It's very interesting, and I think you'll find that the model can be applied to problems like this; it's not just about building software reproducibly, although software that builds reproducibly is conducive to the model.