[fuzzy2]

No, WinGet does not generally protect against this. While PRs to update package versions are verified in some way before going live, the necessary throughput can only be achieved with shallow checks. A determined actor could easily get a malicious update in, once they control the original source.

Other than that, WinGet is mostly just "run setup.exe". It is not a package manager. It's basically MajorGeeks as a mediocre CLI.

[briHass]

Nonsense. WinGet has the ability to add repositories, just like any other package manager. If you want the 'approved' packages for the distro, that would be the msstore repository. If you want to use the 'community feed', which WinGet warns you about the first time you use it, it's less vetted, but still goes through Defender scans and community moderators.

If you go adding any old repo to APT, you have the same risk. You should look at how much code review goes into packages for major distros like Debian, hint, not much, especially once the initial package was accepted.