It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
At least JS code in a browser is sandboxed. A Notepad++ update is just rawdogging an executable on your bare metal, perhaps with admin privs even, and hoping for the best.
First, it wasn't even the developer who compromised people, here; second, scripts in most cases are orders of magnitude less dangerous than a windows executable.
And, in many cases you can get some protection from a developer going rogue (or not writing perfect code), it's not an all or nothing.
And there isn't really a way to confirm if it is configured in a secure way.
You either trust the developer or not.