Unless you're running Gentoo or similar, you're trusting your distro maintainers to produce clean, non-malicious binaries any time you install anything from the package manager.
Choosing to download and run programs is not giving someone else RCE, unless you download and run something that allows for RCE. It's not an inevitable truth like it is with Windows or (usually) Ubuntu (not sure about MacOS).
So what's your approach? Are you Amish? Or did you compile every component of your setup (UEFI firmware and [C,G]PU microcode included) from source after auditing it? Or are you just convinced that a system that can't have a third party run arbitrary code simply can't exist? Please elaborate.
Ah you see I tried that but ran into a bug: the closer you inspect one of the universe's registers, the less accurate my reading of the value is. It seems that I can either ascertain the memory location of a declared variable OR its value, but the closer I get to one, the foggier the other gets.
Has anybody else encountered this bug when manipulating the fabric of space-time in Rust? It's throwing a pretty major wrench in the gears of my newest HN-inspired project: making a Rust port of the Universe for added memory safety.