[diego_sandoval]

You don't trust Github to not host any malware, and you don't trust Github to not have malicious users.

You trust Github to have reasonably good security, and to not maliciously meddle with user content, so that if you see a repository under github.com/neovim, and you additionally trust the user called neovim, then you can reasonably trust that any repositories under github.com/neovim don't contain malware.

[archargelod]

Even when you trust the repo owner, you can't trust their projects. Bad actor could still sibmit a PR with malicious code and it could be merged just by negligence.