It’s turtles all the way down. The point here is that people don’t consider third-party content inclusion to be more of a risk than “completely harmless”, which is generally false: the risk may or may not be slight, but it’s never non-zero.
And to follow up specifically to the npm modules, if you're self hosted, you can (but probably wont) audit the contents of what's been deployed when you deploy. You can then also keep that snapshot frozen in time, so you wont necessarily be impacted by any changes to those modules in future.
If you're using the hosted version, you have no idea whether or not the modules are being updated, which versions are in use, etc.
Having control of your environment gives you the opportunity to be more (or even less) secure. It's important to fully understand the risk / potential harm that outsourcing that responsibility to random persons can have.