[jFriedensreich]

I would say the trust model of all editors is broken. You cannot really blanket trust any project at all with agents and the amount of supplychain attacks, not even your own. Editors must move to a capabilty based sandbox where you dont just grant trust but grant concrete capabilities like in a browser sandbox.

[kode-targz]

i don't think the core problem here has anything to do with trust to be honest. The problem here os developers using so many external packages and code and libraries for their projects; commercial or otherwise. them just having to ho on trusting everything by default is just one of the many side effects of that.